[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] note apache2 fixes
Stefan Fritsch pushed to branch master at Debian Security Tracker / security-tracker Commits: 0da4e696 by Stefan Fritsch at 2018-03-31T14:34:23+02:00 note apache2 fixes - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -20917,7 +20917,7 @@ CVE-2018-1314 CVE-2018-1313 RESERVED CVE-2018-1312 (In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest ...) - - apache2 + - apache2 2.4.33-1 NOTE: http://www.openwall.com/lists/oss-security/2018/03/24/7 CVE-2018-1311 RESERVED @@ -20958,16 +20958,16 @@ CVE-2018-1304 (The URL pattern of (the empty string) which exactly NOTE: https://svn.apache.org/r1823309 (7.0.x) NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=62067 CVE-2018-1303 (A specially crafted HTTP request header could have crashed the Apache ...) - - apache2 + - apache2 2.4.33-1 NOTE: http://www.openwall.com/lists/oss-security/2018/03/24/3 CVE-2018-1302 (When an HTTP/2 stream was destroyed after being handled, the Apache ...) - - apache2 + - apache2 2.4.33-1 [jessie] - apache2 (Vulnerable code not present) [wheezy] - apache2 (Vulnerable code not present) NOTE: HTTP/2 support introduced in 2.4.17 NOTE: http://www.openwall.com/lists/oss-security/2018/03/24/5 CVE-2018-1301 (A specially crafted request could have crashed the Apache HTTP Server ...) - - apache2 + - apache2 2.4.33-1 NOTE: http://www.openwall.com/lists/oss-security/2018/03/24/2 CVE-2018-1300 RESERVED @@ -21020,7 +21020,7 @@ CVE-2018-1285 CVE-2018-1284 RESERVED CVE-2018-1283 (In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to ...) - - apache2 + - apache2 2.4.33-1 NOTE: http://www.openwall.com/lists/oss-security/2018/03/24/4 CVE-2018-1282 RESERVED @@ -28835,7 +28835,7 @@ CVE-2017-15717 (A flaw in the way URLs are escaped and encoded in the ...) CVE-2017-15716 RESERVED CVE-2017-15715 (In Apache httpd 2.4.0 to 2.4.29, the expression specified in ...) - - apache2 + - apache2 2.4.33-1 NOTE: http://www.openwall.com/lists/oss-security/2018/03/24/6 CVE-2017-15714 (The BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 does not escape ...) NOT-FOR-US: BIRT plugin in Apache OFBiz @@ -28846,7 +28846,7 @@ CVE-2017-15712 (Vulnerability allows a user of Apache Oozie 3.1.3-incubating to CVE-2017-15711 REJECTED CVE-2017-15710 (In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to ...) - - apache2 + - apache2 2.4.33-1 NOTE: http://www.openwall.com/lists/oss-security/2018/03/24/8 CVE-2017-15709 (When using the OpenWire protocol in ActiveMQ versions 5.14.0 to 5.15.2 ...) - activemq 5.15.3-1 (bug #890352) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0da4e6969363e63357348d440c46929598405c87 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0da4e6969363e63357348d440c46929598405c87 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47308 - data/CVE
Author: sf Date: 2016-12-21 23:13:30 + (Wed, 21 Dec 2016) New Revision: 47308 Modified: data/CVE/list Log: update apache2 issues Modified: data/CVE/list === --- data/CVE/list 2016-12-21 22:17:10 UTC (rev 47307) +++ data/CVE/list 2016-12-21 23:13:30 UTC (rev 47308) @@ -11273,7 +11273,7 @@ RESERVED CVE-2016-8743 [Apache HTTP Request Parsing Whitespace Defects] RESERVED - - apache2 + - apache2 2.4.25-1 NOTE: https://lists.apache.org/thread.html/139862b41c0dfd5e6e00ad89c00119f9faf0dd41a2f927da9c9a4076@%3Cannounce.httpd.apache.org%3E NOTE: https://httpd.apache.org/security/vulnerabilities_24.html NOTE: The fix is not fully backwards compatible so upstream have @@ -11286,7 +11286,7 @@ CVE-2016-8741 RESERVED CVE-2016-8740 (The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, ...) - - apache2 (bug #847124) + - apache2 2.4.25-1 (bug #847124) [jessie] - apache2 (Vulnerable code not present) [wheezy] - apache2 (Vulnerable code not present) NOTE: HTTP/2 support introduced in 2.4.17 @@ -5,7 +5,7 @@ NOTE: http://struts.apache.org/docs/s2-030.html CVE-2016-2161 [DoS vulnerability in mod_auth_digest] RESERVED - - apache2 + - apache2 2.4.25-1 [wheezy] - apache2 (Vulnerable code introduced in 2.4.x) NOTE: https://lists.apache.org/thread.html/139862b41c0dfd5e6e00ad89c00119f9faf0dd41a2f927da9c9a4076@%3Cannounce.httpd.apache.org%3E NOTE: Fixed by: https://svn.apache.org/r1772919 @@ -38619,7 +38619,7 @@ NOTE: Swift: >=2.2.1 <= 2.3.0 CVE-2016-0736 [Padding Oracle in Apache mod_session_crypto] RESERVED - - apache2 + - apache2 2.4.25-1 [wheezy] - apache2 (Vulnerable code not present) NOTE: https://lists.apache.org/thread.html/139862b41c0dfd5e6e00ad89c00119f9faf0dd41a2f927da9c9a4076@%3Cannounce.httpd.apache.org%3E NOTE: Fixed by: https://svn.apache.org/r1772812 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r43358 - data/CVE
Author: sf Date: 2016-07-21 22:44:22 + (Thu, 21 Jul 2016) New Revision: 43358 Modified: data/CVE/list Log: note apache2 fix Modified: data/CVE/list === --- data/CVE/list 2016-07-21 21:54:05 UTC (rev 43357) +++ data/CVE/list 2016-07-21 22:44:22 UTC (rev 43358) @@ -2647,7 +2647,7 @@ - libapache2-mod-fcgid CVE-2016-5387 (The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 ...) {DSA-3623-1 DLA-553-1} - - apache2 + - apache2 2.4.23-2 NOTE: https://www.apache.org/security/asf-httpoxy-response.txt CVE-2016-5386 (The net/http package in Go through 1.6 does not attempt to address RFC ...) - golang ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r43025 - data/CVE
Author: sf Date: 2016-07-05 22:05:33 + (Tue, 05 Jul 2016) New Revision: 43025 Modified: data/CVE/list Log: note apache2 fix Modified: data/CVE/list === --- data/CVE/list 2016-07-05 21:10:10 UTC (rev 43024) +++ data/CVE/list 2016-07-05 22:05:33 UTC (rev 43025) @@ -3342,7 +3342,7 @@ NOT-FOR-US: Red Hat xguest kiosk mode CVE-2016-4979 RESERVED - - apache2 + - apache2 2.4.23-1 [jessie] - apache2 (Vulnerable code not present) [wheezy] - apache2 (Vulnerable code not present) NOTE: HTTP/2 support introduced in 2.4.17 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36137 - data/DSA
Author: sf Date: 2015-08-18 12:15:22 + (Tue, 18 Aug 2015) New Revision: 36137 Modified: data/DSA/list Log: note apache2 regression update Modified: data/DSA/list === --- data/DSA/list 2015-08-18 09:45:44 UTC (rev 36136) +++ data/DSA/list 2015-08-18 12:15:22 UTC (rev 36137) @@ -1,3 +1,5 @@ +[18 Aug 2015] DSA-3325-2 apache2 - regression update + [wheezy] - apache2 2.2.22-13+deb7u6 [17 Aug 2015] DSA-3336-1 nss - security update {CVE-2015-2721 CVE-2015-2730} [wheezy] - nss 2:3.14.5-1+deb7u5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35964 - in data: . DSA
Author: sf Date: 2015-08-10 17:58:09 + (Mon, 10 Aug 2015) New Revision: 35964 Modified: data/DSA/list data/dsa-needed.txt Log: reserve subversion DSA id Modified: data/DSA/list === --- data/DSA/list 2015-08-10 17:24:00 UTC (rev 35963) +++ data/DSA/list 2015-08-10 17:58:09 UTC (rev 35964) @@ -1,3 +1,7 @@ +[10 Aug 2015] DSA-3331-1 subversion - security update + {CVE-2015-3184 CVE-2015-3187} + [wheezy] - subversion 1.6.17dfsg-4+deb7u10 + [jessie] - subversion 1.8.10-6+deb8u1 [08 Aug 2015] DSA-3321-2 opensaml2 - security update [wheezy] - opensaml2 2.4.3-4+deb7u1 [jessie] - opensaml2 2.5.3-2+deb8u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-10 17:24:00 UTC (rev 35963) +++ data/dsa-needed.txt 2015-08-10 17:58:09 UTC (rev 35964) @@ -73,10 +73,6 @@ -- squid/oldstable -- -subversion (sf) - Maintainer prepared an update for jessie-security. Check if we want - wheezy-update as well for CVE-2015-3187 --- t1utils/oldstable (ghedo) Patch applied for stable seems incomplete since similar code is in t1asm.c and t1disasm.c Security impact of #724571 might need to be checked as well ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35945 - data
Author: sf Date: 2015-08-09 13:05:03 + (Sun, 09 Aug 2015) New Revision: 35945 Modified: data/dsa-needed.txt Log: take subversion Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-09 06:56:46 UTC (rev 35944) +++ data/dsa-needed.txt 2015-08-09 13:05:03 UTC (rev 35945) @@ -71,7 +71,7 @@ -- squid/oldstable -- -subversion +subversion (sf) Maintainer prepared an update for jessie-security. Check if we want wheezy-update as well for CVE-2015-3187 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35827 - data/DSA
Author: sf Date: 2015-08-01 21:23:34 + (Sat, 01 Aug 2015) New Revision: 35827 Modified: data/DSA/list Log: Grab DSA id for apache2 Modified: data/DSA/list === --- data/DSA/list 2015-08-01 21:10:14 UTC (rev 35826) +++ data/DSA/list 2015-08-01 21:23:34 UTC (rev 35827) @@ -1,3 +1,7 @@ +[01 Aug 2015] DSA-3325-1 apache2 - security update + {CVE-2015-3183 CVE-2015-3185} + [wheezy] - apache2 2.2.22-13+deb7u5 + [jessie] - apache2 2.4.10-10+deb8u1 [01 Aug 2015] DSA-3324-1 icedove - security update {CVE-2015-2721 CVE-2015-2724 CVE-2015-2734 CVE-2015-2735 CVE-2015-2736 CVE-2015-2737 CVE-2015-2738 CVE-2015-2739 CVE-2015-2740 CVE-2015-4000} [wheezy] - icedove 31.8.0-1~deb7u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35828 - data
Author: sf Date: 2015-08-01 22:04:57 + (Sat, 01 Aug 2015) New Revision: 35828 Modified: data/dsa-needed.txt Log: remove resolved issue Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-01 21:23:34 UTC (rev 35827) +++ data/dsa-needed.txt 2015-08-01 22:04:57 UTC (rev 35828) @@ -16,8 +16,6 @@ -- activemq -- -apache2 (sf) --- asterisk -- aptdaemon ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35829 - data/CVE
Author: sf Date: 2015-08-01 22:52:33 + (Sat, 01 Aug 2015) New Revision: 35829 Modified: data/CVE/list Log: note apache2 fixes Modified: data/CVE/list === --- data/CVE/list 2015-08-01 22:04:57 UTC (rev 35828) +++ data/CVE/list 2015-08-01 22:52:33 UTC (rev 35829) @@ -6617,7 +6617,7 @@ CVE-2015-3186 RESERVED CVE-2015-3185 (The ap_some_auth_required function in server/request.c in the Apache ...) - - apache2 unfixed + - apache2 2.4.16-1 [wheezy] - apache2 not-affected (Bug introduced during 2.4 development) [squeeze] - apache2 not-affected (Bug introduced during 2.4 development) NOTE: https://www.apache.org/dist/httpd/Announcement2.4.txt @@ -6628,7 +6628,7 @@ RESERVED CVE-2015-3183 (The chunked transfer coding implementation in the Apache HTTP Server ...) {DLA-284-1} - - apache2 unfixed + - apache2 2.4.16-1 NOTE: https://www.apache.org/dist/httpd/Announcement2.4.txt NOTE: https://www.apache.org/dist/httpd/CHANGES_2.4.16 NOTE: http://svn.apache.org/viewvc?view=revisionrevision=1684515 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32882 - data/CVE
Author: sf Date: 2015-03-15 10:28:35 + (Sun, 15 Mar 2015) New Revision: 32882 Modified: data/CVE/list Log: apache2 fix Modified: data/CVE/list === --- data/CVE/list 2015-03-15 09:11:08 UTC (rev 32881) +++ data/CVE/list 2015-03-15 10:28:35 UTC (rev 32882) @@ -7752,7 +7752,7 @@ CVE-2015-0229 RESERVED CVE-2015-0228 (The lua_websocket_read function in lua_request.c in the mod_lua module ...) - - apache2 unfixed (low) + - apache2 2.4.10-10 (low) [wheezy] - apache2 not-affected (no mod_lua in 2.2) [squeeze] - apache2 not-affected (no mod_lua in 2.2) NOTE: https://github.com/apache/httpd/commit/643f0fcf3b8ab09a68f0ecd2aa37aafeda3e63ef ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32224 - data/CVE
Author: sf Date: 2015-02-13 23:56:41 + (Fri, 13 Feb 2015) New Revision: 32224 Modified: data/CVE/list Log: New apache2 DoS Modified: data/CVE/list === --- data/CVE/list 2015-02-13 21:10:16 UTC (rev 32223) +++ data/CVE/list 2015-02-13 23:56:41 UTC (rev 32224) @@ -5771,8 +5771,11 @@ RESERVED CVE-2015-0229 RESERVED -CVE-2015-0228 +CVE-2015-0228 [apache2 mod_lua websocket DoS] RESERVED + - apache2 unfixed (low) + [wheezy] - apache2 not-affected (no mod_lua in 2.2) + [squeeze] - apache2 not-affected (no mod_lua in 2.2) CVE-2015-0227 (Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote ...) - wss4j 1.6.15-2 (bug #41) CVE-2015-0226 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31308 - data/CVE
Author: sf Date: 2015-01-13 20:57:03 + (Tue, 13 Jan 2015) New Revision: 31308 Modified: data/CVE/list Log: apache issue already fixed Modified: data/CVE/list === --- data/CVE/list 2015-01-13 19:15:14 UTC (rev 31307) +++ data/CVE/list 2015-01-13 20:57:03 UTC (rev 31308) @@ -1,5 +1,7 @@ CVE-2015- [IP address spoofing in mod_remoteip] - - apache2 unfixed + - apache2 2.4.9-1 + [wheezy] - apache2 not-affected (no mod_remoteip in 2.2) + [squeeze] - apache2 not-affected (no mod_remoteip in 2.2) NOTE: https://svn.apache.org/viewvc?view=revisionrevision=1564052 NOTE: https://issues.apache.org/bugzilla/show_bug.cgi?id=54651 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/01/13/1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r30996 - data/CVE
Author: sf Date: 2014-12-28 08:08:51 + (Sun, 28 Dec 2014) New Revision: 30996 Modified: data/CVE/list Log: upcoming apache2 fix Modified: data/CVE/list === --- data/CVE/list 2014-12-28 07:56:55 UTC (rev 30995) +++ data/CVE/list 2014-12-28 08:08:51 UTC (rev 30996) @@ -15276,8 +15276,8 @@ NOT-FOR-US: Apache CXF CVE-2014-3583 (The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi ...) - apache2 2.4.10-8 (low) - [wheezy] - apache2 no-dsa (minor issue) - [squeeze] - apache2 no-dsa (minor issue) + [wheezy] - apache2 not-affected (no mod_proxy_fcgi in 2.2) + [squeeze] - apache2 not-affected (no mod_proxy_fcgi in 2.2) NOTE: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_fcgi.c?r1=1618401r2=1638818 NOTE: Only exploitable by a malicious fcgi script. CVE-2014-3582 @@ -29120,7 +29120,7 @@ CVE-2013-5704 (The mod_headers module in the Apache HTTP Server 2.2.22 allows remote ...) {DLA-71-1} - apache2 2.4.10-2 (medium) - [wheezy] - apache2 no-dsa (minor issue) + [wheezy] - apache2 2.2.22-13+deb7u4 NOTE: http://marc.info/?l=apache-httpd-devm=139636309822854w=2 CVE-2013-5703 (The DrayTek Vigor 2700 router 2.8.3 allows remote attackers to execute ...) NOT-FOR-US: DrayTek Vigor 2700 router ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r30927 - data/CVE
Author: sf Date: 2014-12-22 20:58:00 + (Mon, 22 Dec 2014) New Revision: 30927 Modified: data/CVE/list Log: apache2 fixed Modified: data/CVE/list === --- data/CVE/list 2014-12-22 19:01:25 UTC (rev 30926) +++ data/CVE/list 2014-12-22 20:58:00 UTC (rev 30927) @@ -4045,7 +4045,7 @@ RESERVED CVE-2014-8109 [apache mod_lua LuaAuthzProvider uses wrong arguments] RESERVED - - apache2 unfixed + - apache2 2.4.10-9 [wheezy] - apache2 not-affected (mod_lua only in 2.4) [squeeze] - apache2 not-affected (mod_lua only in 2.4) CVE-2014-8108 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r30559 - data/CVE
Author: sf Date: 2014-12-05 15:53:03 + (Fri, 05 Dec 2014) New Revision: 30559 Modified: data/CVE/list Log: new apache2 issue Modified: data/CVE/list === --- data/CVE/list 2014-12-05 12:10:43 UTC (rev 30558) +++ data/CVE/list 2014-12-05 15:53:03 UTC (rev 30559) @@ -3431,8 +3431,11 @@ RESERVED CVE-2014-8110 RESERVED -CVE-2014-8109 +CVE-2014-8109 [apache mod_lua LuaAuthzProvider uses wrong arguments] RESERVED + - apache2 unfixed + [wheezy] - apache2 not-affected (mod_lua only in 2.4) + [squeeze] - apache2 not-affected (mod_lua only in 2.4) CVE-2014-8108 RESERVED CVE-2014-8107 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r30129 - data/CVE
Author: sf Date: 2014-11-18 14:32:30 + (Tue, 18 Nov 2014) New Revision: 30129 Modified: data/CVE/list Log: note CVE-2014-3583 apache2 fix Modified: data/CVE/list === --- data/CVE/list 2014-11-18 14:04:06 UTC (rev 30128) +++ data/CVE/list 2014-11-18 14:32:30 UTC (rev 30129) @@ -12287,9 +12287,9 @@ RESERVED CVE-2014-3584 (The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before ...) NOT-FOR-US: Apache CXF -CVE-2014-3583 [mod_proxy_fcgi heap-based buffer overflow] +CVE-2014-3583 [mod_proxy_fcgi buffer overread] RESERVED - - apache2 unfixed (low) + - apache2 2.4.10-8 (low) [wheezy] - apache2 no-dsa (minor issue) NOTE: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_fcgi.c?r1=1618401r2=1638818 NOTE: Only exploitable by a malicious fcgi script. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r30049 - data/CVE
Author: sf Date: 2014-11-13 20:43:02 + (Thu, 13 Nov 2014) New Revision: 30049 Modified: data/CVE/list Log: CVE-2014-3583 apache2 no-dsa Modified: data/CVE/list === --- data/CVE/list 2014-11-13 20:23:07 UTC (rev 30048) +++ data/CVE/list 2014-11-13 20:43:02 UTC (rev 30049) @@ -11882,8 +11882,10 @@ NOT-FOR-US: Apache CXF CVE-2014-3583 [mod_proxy_fcgi heap-based buffer overflow] RESERVED - - apache2 unfixed + - apache2 unfixed (low) + [wheezy] - apache2 no-dsa (minor issue) NOTE: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_fcgi.c?r1=1618401r2=1638818 + NOTE: Only exploitable by a malicious fcgi script. CVE-2014-3582 RESERVED CVE-2014-3581 (The cache_merge_headers_out function in modules/cache/cache_util.c in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r29928 - data/CVE
Author: sf Date: 2014-11-09 13:49:14 + (Sun, 09 Nov 2014) New Revision: 29928 Modified: data/CVE/list Log: mark apache2 trailers issue CVE-2013-5704 as no-dsa Modified: data/CVE/list === --- data/CVE/list 2014-11-09 13:06:45 UTC (rev 29927) +++ data/CVE/list 2014-11-09 13:49:14 UTC (rev 29928) @@ -25587,9 +25587,8 @@ CVE-2013-5704 (The mod_headers module in the Apache HTTP Server 2.2.22 allows remote ...) {DLA-71-1} - apache2 2.4.10-2 (medium) + [wheezy] - apache2 no-dsa (minor issue) NOTE: http://marc.info/?l=apache-httpd-devm=139636309822854w=2 - NOTE: Patch for 2.4.x at: https://github.com/apache/httpd/commit/bd34b9d92894b7fc01810fc11a059fa30067e431#diff-381c180d963fb4507c77d80edb208224 - NOTE: Patche for 2.2.x at: https://github.com/apache/httpd/commit/16e241ed9f0482acfda30b115227101744ccbc2c CVE-2013-5703 (The DrayTek Vigor 2700 router 2.8.3 allows remote attackers to execute ...) NOT-FOR-US: DrayTek Vigor 2700 router CVE-2013-5702 (Multiple cross-site scripting (XSS) vulnerabilities in WebCenter in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r28941 - data/CVE
Author: sf Date: 2014-09-21 21:29:10 + (Sun, 21 Sep 2014) New Revision: 28941 Modified: data/CVE/list Log: note apache2 fix Modified: data/CVE/list === --- data/CVE/list 2014-09-21 20:39:27 UTC (rev 28940) +++ data/CVE/list 2014-09-21 21:29:10 UTC (rev 28941) @@ -20626,7 +20626,7 @@ NOTE: Upstream commit: https://github.com/SpiderLabs/ModSecurity/commit/f8d441cd25172fdfe5b613442fedfc0da3cc333d NOTE: http://martin.swende.se/blog/HTTPChunked.html CVE-2013-5704 (The mod_headers module in the Apache HTTP Server 2.2.22 allows remote ...) - - apache2 unfixed + - apache2 2.4.10-2 NOTE: http://marc.info/?l=apache-httpd-devm=139636309822854w=2 CVE-2013-5703 (The DrayTek Vigor 2700 router 2.8.3 allows remote attackers to execute ...) NOT-FOR-US: DrayTek Vigor 2700 router ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r27958 - in data: . DSA
Author: sf Date: 2014-07-24 21:26:21 + (Thu, 24 Jul 2014) New Revision: 27958 Modified: data/DSA/list data/dsa-needed.txt Log: apache2 DSA Modified: data/DSA/list === --- data/DSA/list 2014-07-24 21:14:11 UTC (rev 27957) +++ data/DSA/list 2014-07-24 21:26:21 UTC (rev 27958) @@ -1,3 +1,6 @@ +[24 Jul 2014] DSA-2989-1 apache2 - security update + {CVE-2014-0118 CVE-2014-0226 CVE-2014-0231} + [wheezy] - apache2 2.2.22-13+deb7u3 [24 Jul 2014] DSA-2988-1 transmission - security update {CVE-2014-4909} [wheezy] - transmission 2.52-3+nmu2 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2014-07-24 21:14:11 UTC (rev 27957) +++ data/dsa-needed.txt 2014-07-24 21:26:21 UTC (rev 27958) @@ -13,8 +13,6 @@ -- -apache2 (sf) --- asterisk -- cacti ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r27959 - data/CVE
Author: sf Date: 2014-07-24 22:22:52 + (Thu, 24 Jul 2014) New Revision: 27959 Modified: data/CVE/list Log: CVE-2013-5704 needs fixing Modified: data/CVE/list === --- data/CVE/list 2014-07-24 21:26:21 UTC (rev 27958) +++ data/CVE/list 2014-07-24 22:22:52 UTC (rev 27959) @@ -16750,7 +16750,7 @@ NOTE: Upstream commit: https://github.com/SpiderLabs/ModSecurity/commit/f8d441cd25172fdfe5b613442fedfc0da3cc333d NOTE: http://martin.swende.se/blog/HTTPChunked.html CVE-2013-5704 (The mod_headers module in the Apache HTTP Server 2.2.22 allows remote ...) - - apache2 undetermined + - apache2 unfixed NOTE: http://marc.info/?l=apache-httpd-devm=139636309822854w=2 CVE-2013-5703 (The DrayTek Vigor 2700 router 2.8.3 allows remote attackers to execute ...) NOT-FOR-US: DrayTek Vigor 2700 router ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r27904 - data/CVE
Author: sf Date: 2014-07-23 06:12:05 + (Wed, 23 Jul 2014) New Revision: 27904 Modified: data/CVE/list Log: note some apache2 fixes Modified: data/CVE/list === --- data/CVE/list 2014-07-23 05:52:18 UTC (rev 27903) +++ data/CVE/list 2014-07-23 06:12:05 UTC (rev 27904) @@ -12692,7 +12692,7 @@ RESERVED CVE-2014-0231 [mod_cgid denial of service] RESERVED - - apache2 unfixed + - apache2 2.4.10-1 CVE-2014-0230 RESERVED CVE-2014-0229 @@ -12704,7 +12704,7 @@ RESERVED CVE-2014-0226 [mod_status buffer overflow] RESERVED - - apache2 unfixed + - apache2 2.4.10-1 CVE-2014-0225 [Information disclosure via SSRF] RESERVED - libspring-java unfixed (low; bug #753470) @@ -13095,10 +13095,10 @@ - tomcat6 6.0.41-1 CVE-2014-0118 [mod_deflate denial of service] RESERVED - - apache2 unfixed + - apache2 2.4.10-1 CVE-2014-0117 [mod_proxy denial of service] RESERVED - - apache2 unfixed + - apache2 2.4.10-1 [squeeze] - apache2 not-affected (Affects 2.4.6 to 2.4.9) [wheezy] - apache2 not-affected (Affects 2.4.6 to 2.4.9) CVE-2014-0116 (CookieInterceptor in Apache Struts 2.x before 2.3.16.3, when a ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r27925 - data
Author: sf Date: 2014-07-23 20:45:34 + (Wed, 23 Jul 2014) New Revision: 27925 Modified: data/dsa-needed.txt Log: claim apache2 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2014-07-23 20:36:45 UTC (rev 27924) +++ data/dsa-needed.txt 2014-07-23 20:45:34 UTC (rev 27925) @@ -13,7 +13,7 @@ -- -apache2 +apache2 (sf) -- asterisk -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r27927 - data/CVE
Author: sf Date: 2014-07-23 21:46:26 + (Wed, 23 Jul 2014) New Revision: 27927 Modified: data/CVE/list Log: CVE-2013-4352 does not affect squeeze/wheezy It only affects 2.4.[56]. Since 2.4.5 was never released, the security info on the apache web page is actually correct. Modified: data/CVE/list === --- data/CVE/list 2014-07-23 21:14:13 UTC (rev 27926) +++ data/CVE/list 2014-07-23 21:46:26 UTC (rev 27927) @@ -20287,8 +20287,8 @@ [squeeze] - openssl not-affected (Only affects 1.0.1 to 1.0.1e) CVE-2013-4352 (The cache_invalidate function in modules/cache/cache_storage.c in the ...) - apache2 2.4.7-1 (low) - NOTE: According to http://httpd.apache.org/security/vulnerabilities_24.html this should only affect - NOTE: 2.4.6, but that seems wrong, since 2.4.6 was a single-change regression update + [wheezy] - apache2 not-affected (Only affects 2.4.[56]) + [squeeze] - apache2 not-affected (Only affects 2.4.[56]) CVE-2013-4351 (GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all ...) {DSA-2774-1 DSA-2773-1} - gnupg 1.4.15-1 (low; bug #722722) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r26351 - data/CVE
Author: sf Date: 2014-03-30 10:18:09 + (Sun, 30 Mar 2014) New Revision: 26351 Modified: data/CVE/list Log: one apache2 issue probably not affected, one no-dsa Modified: data/CVE/list === --- data/CVE/list 2014-03-30 09:26:21 UTC (rev 26350) +++ data/CVE/list 2014-03-30 10:18:09 UTC (rev 26351) @@ -6785,6 +6785,7 @@ RESERVED CVE-2014-0098 (The log_cookie function in mod_log_config.c in the mod_log_config ...) - apache2 2.4.9-1 + NOTE: Looks like it was introduced in 2.2.23 which would mean that squeeze+wheezy are not affected. sf: waiting for confirmation. CVE-2014-0097 RESERVED - libspring-java not-affected (ActiveDirectoryLdapAuthenticator not yet present, introduced in 3.1) @@ -8397,6 +8398,8 @@ NOT-FOR-US: Candlepin CVE-2013-6438 (The dav_xml_get_cdata function in main/util.c in the mod_dav module in ...) - apache2 2.4.9-1 + [squeeze] - apache2 no-dsa (will be fixed in point release unless CVE-2014-0098 needs a DSA) + [wheezy] - apache2 no-dsa (will be fixed in point release unless CVE-2014-0098 needs a DSA) CVE-2013-6437 (The libvirt driver in OpenStack Compute (Nova) before 2013.2.2 and ...) - nova 2013.2.2 [wheezy] - nova not-affected (Vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r26342 - data/CVE
Author: sf Date: 2014-03-29 22:02:16 + (Sat, 29 Mar 2014) New Revision: 26342 Modified: data/CVE/list Log: apache2 fixed Modified: data/CVE/list === --- data/CVE/list 2014-03-29 21:14:10 UTC (rev 26341) +++ data/CVE/list 2014-03-29 22:02:16 UTC (rev 26342) @@ -6781,7 +6781,7 @@ CVE-2014-0099 RESERVED CVE-2014-0098 (The log_cookie function in mod_log_config.c in the mod_log_config ...) - - apache2 unfixed + - apache2 2.4.9-1 CVE-2014-0097 RESERVED - libspring-java not-affected (ActiveDirectoryLdapAuthenticator not yet present, introduced in 3.1) @@ -8393,7 +8393,7 @@ CVE-2013-6439 (Candlepin in Red Hat Subscription Asset Manager 1.0 through 1.3 uses a ...) NOT-FOR-US: Candlepin CVE-2013-6438 (The dav_xml_get_cdata function in main/util.c in the mod_dav module in ...) - - apache2 unfixed + - apache2 2.4.9-1 CVE-2013-6437 (The libvirt driver in OpenStack Compute (Nova) before 2013.2.2 and ...) - nova 2013.2.2 [wheezy] - nova not-affected (Vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r25464 - data
Author: sf Date: 2014-02-02 09:09:28 + (Sun, 02 Feb 2014) New Revision: 25464 Modified: data/dsa-needed.txt Log: apache2 fixed in point releases Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2014-02-02 07:52:54 UTC (rev 25463) +++ data/dsa-needed.txt 2014-02-02 09:09:28 UTC (rev 25464) @@ -13,8 +13,6 @@ -- -apache2 (sf) --- chromium-browser -- drupal6 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r25461 - data
Author: sf Date: 2014-02-01 20:03:13 + (Sat, 01 Feb 2014) New Revision: 25461 Modified: data/next-point-update.txt Log: upcoming apache2 fixes Modified: data/next-point-update.txt === --- data/next-point-update.txt 2014-02-01 15:56:13 UTC (rev 25460) +++ data/next-point-update.txt 2014-02-01 20:03:13 UTC (rev 25461) @@ -94,3 +94,7 @@ [wheezy] - linux 3.2.54-1 CVE-2014-1446 [wheezy] - linux 3.2.54-1 +CVE-2013-1896 + [wheezy] - apache2 2.2.22-13+deb7u1 +CVE-2013-1862 + [wheezy] - apache2 2.2.22-13+deb7u1 (unimportant) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23109 - data
Author: sf Date: 2013-07-27 08:25:46 + (Sat, 27 Jul 2013) New Revision: 23109 Modified: data/dsa-needed.txt Log: note apache2 dsa needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-07-27 07:20:47 UTC (rev 23108) +++ data/dsa-needed.txt 2013-07-27 08:25:46 UTC (rev 23109) @@ -13,6 +13,8 @@ -- +apache2 (sf) +-- bind9 -- chromium-browser ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23039 - data/CVE
Author: sf Date: 2013-07-22 19:04:07 + (Mon, 22 Jul 2013) New Revision: 23039 Modified: data/CVE/list Log: note fixes for some unimportant apache2 issues Modified: data/CVE/list === --- data/CVE/list 2013-07-22 14:38:04 UTC (rev 23038) +++ data/CVE/list 2013-07-22 19:04:07 UTC (rev 23039) @@ -7449,7 +7449,7 @@ NOTE: http://www.samba.org/samba/history/samba-4.0.4.html NOTE: http://www.samba.org/samba/security/CVE-2013-1863 CVE-2013-1862 (mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server ...) - - apache2 unfixed (unimportant) + - apache2 2.4.1-1 (unimportant) NOTE: Such injection issues are not treated as security issues CVE-2013-1861 (MariaDB 5.5.x before 5.5.30, 5.3.x before 5.3.13, 5.2.x before 5.2.15, ...) - mysql-5.5 unfixed (low; bug #706715) @@ -31114,7 +31114,7 @@ CVE-2011-4416 RESERVED CVE-2011-4415 (The ap_pregsub function in server/util.c in the Apache HTTP Server ...) - - apache2 unfixed (unimportant) + - apache2 2.4.1-1 (unimportant) NOTE: apache2 does not protect or claim to protect against DoS through .htaccess CVE-2011-4414 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r21514 - data/DSA
Author: sf Date: 2013-03-04 21:01:50 + (Mon, 04 Mar 2013) New Revision: 21514 Modified: data/DSA/list Log: upcoming apache2 DSA Modified: data/DSA/list === --- data/DSA/list 2013-03-04 21:01:37 UTC (rev 21513) +++ data/DSA/list 2013-03-04 21:01:50 UTC (rev 21514) @@ -1,3 +1,6 @@ +[04 Mar 2013] DSA-2637-1 apache2 - several + {CVE-2012-3499 CVE-2012-4558 CVE-2013-1048} + [squeeze] - apache2 2.2.16-6+squeeze11 [01 Mar 2013] DSA-2636-1 xen - several {CVE-2012-2625 CVE-2012-4544 CVE-2012-5511 CVE-2012-5634 CVE-2012-6333 CVE-2013-0153} [squeeze] - xen 4.0.1-5.7 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r21516 - data/CVE
Author: sf Date: 2013-03-04 21:40:37 + (Mon, 04 Mar 2013) New Revision: 21516 Modified: data/CVE/list Log: note apache2 fixes Modified: data/CVE/list === --- data/CVE/list 2013-03-04 21:14:26 UTC (rev 21515) +++ data/CVE/list 2013-03-04 21:40:37 UTC (rev 21516) @@ -2760,9 +2760,10 @@ {DSA-2635-1} - cfingerd 1.4.3-3.1 (bug #700098) NOTE: https://bugs.launchpad.net/ubuntu/+source/cfingerd/+bug/1104425 -CVE-2013-1048 +CVE-2013-1048 [apache2ctl unsafe lock dir creation] RESERVED {DSA-2637-1} + - apache2 2.2.22-13 CVE-2013-1047 RESERVED CVE-2013-1046 @@ -10437,7 +10438,7 @@ - libssh 0.5.3-1 CVE-2012-4558 (Multiple cross-site scripting (XSS) vulnerabilities in the ...) {DSA-2637-1} - - apache2 unfixed (low) + - apache2 2.2.22-13 (low) CVE-2012-4557 (The mod_proxy_ajp module in the Apache HTTP Server 2.2.12 through ...) {DSA-2579-1} - apache2 2.2.22-1 @@ -13169,7 +13170,7 @@ - devscripts 2.12.2 CVE-2012-3499 (Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP ...) {DSA-2637-1} - - apache2 unfixed (low) + - apache2 2.2.22-13 (low) CVE-2012-3498 (PHYSDEVOP_map_pirq in Xen 4.1 and 4.2 and Citrix XenServer 6.0.2 and ...) - xen 4.1.3-2 (bug #686764) [squeeze] - xen not-affected (Vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r20578 - data/DSA
Author: sf Date: 2012-11-30 12:52:24 + (Fri, 30 Nov 2012) New Revision: 20578 Modified: data/DSA/list Log: note rssh dsa, upcoming apache2 dsa Modified: data/DSA/list === --- data/DSA/list 2012-11-29 21:14:22 UTC (rev 20577) +++ data/DSA/list 2012-11-30 12:52:24 UTC (rev 20578) @@ -1,3 +1,9 @@ +[30 Nov 2012] DSA-2579-1 apache2 - several + {CVE-2012-4557 CVE-2012-4929} + [squeeze] - apache2 2.2.16-6+squeeze10 +[28 Nov 2012] DSA-2578-1 rssh - several + {CVE-2012-2251 CVE-2012-2252} + [squeeze] - rssh 2.3.2-13squeeze3 [22 Nov 2012] DSA-2577-1 libssh - several {CVE-2012-4559 CVE-2012-4561 CVE-2012-4562} [squeeze] - libssh 0.4.5-3+squeeze1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r19572 - data/CVE
Author: sf Date: 2012-06-23 20:51:23 + (Sat, 23 Jun 2012) New Revision: 19572 Modified: data/CVE/list Log: apache2 issue fixed Modified: data/CVE/list === --- data/CVE/list 2012-06-23 17:12:44 UTC (rev 19571) +++ data/CVE/list 2012-06-23 20:51:23 UTC (rev 19572) @@ -2284,7 +2284,7 @@ RESERVED CVE-2012-2687 [apache mod_negotiation XSS] RESERVED - - apache2 unfixed (low) + - apache2 2.2.22-8 (low) [squeeze] - apache2 no-dsa (minor issue) CVE-2012-2686 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r19510 - data/CVE
Author: sf Date: 2012-06-16 22:37:03 + (Sat, 16 Jun 2012) New Revision: 19510 Modified: data/CVE/list Log: minor apache2 issue Modified: data/CVE/list === --- data/CVE/list 2012-06-16 21:14:21 UTC (rev 19509) +++ data/CVE/list 2012-06-16 22:37:03 UTC (rev 19510) @@ -1812,8 +1812,10 @@ RESERVED CVE-2012-2688 RESERVED -CVE-2012-2687 +CVE-2012-2687 [apache mod_negotiation XSS] RESERVED + - apache2 unfixed (low) + [squeeze] - apache2 no-dsa (minor issue) CVE-2012-2686 RESERVED CVE-2012-2685 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r18958 - data/DSA
Author: sf Date: 2012-04-15 21:23:12 + (Sun, 15 Apr 2012) New Revision: 18958 Modified: data/DSA/list Log: note upcoming apache2 DSA Modified: data/DSA/list === --- data/DSA/list 2012-04-15 19:29:31 UTC (rev 18957) +++ data/DSA/list 2012-04-15 21:23:12 UTC (rev 18958) @@ -1,3 +1,6 @@ +[13 Apr 2012] DSA-2452-1 apache2 - insecure default configuration + {CVE-2012-0216} + [squeeze] - apache2 2.2.16-6+squeeze7 [13 Apr 2012] DSA-2451-1 puppet - several {CVE-2012-1906 CVE-2012-1986 CVE-2012-1987 CVE-2012-1988} [squeeze] - puppet 2.6.2-5+squeeze5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r18959 - data/CVE
Author: sf Date: 2012-04-15 22:11:36 + (Sun, 15 Apr 2012) New Revision: 18959 Modified: data/CVE/list Log: apache2 fixed Modified: data/CVE/list === --- data/CVE/list 2012-04-15 21:23:12 UTC (rev 18958) +++ data/CVE/list 2012-04-15 22:11:36 UTC (rev 18959) @@ -5457,8 +5457,9 @@ RESERVED CVE-2012-0217 RESERVED -CVE-2012-0216 +CVE-2012-0216 [apache2 insecure default config] RESERVED + - apache2 2.2.22-4 (low) CVE-2012-0215 [tryton-server privilege escalation through Many2Many editing] RESERVED {DSA-2444-1} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r18693 - data/CVE
Author: sf Date: 2012-03-17 15:52:39 + (Sat, 17 Mar 2012) New Revision: 18693 Modified: data/CVE/list Log: apache2 non-issue Modified: data/CVE/list === --- data/CVE/list 2012-03-17 15:30:46 UTC (rev 18692) +++ data/CVE/list 2012-03-17 15:52:39 UTC (rev 18693) @@ -1770,8 +1770,9 @@ NOTE: http://code.google.com/p/simplesamlphp/issues/detail?id=468 CVE-2012-0884 (The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 ...) - openssl 1.0.0h-1 (low) -CVE-2012-0883 +CVE-2012-0883 [apache httpd insecure LD_LIBRARY_PATH] RESERVED + - apache2 not-affected (LD_LIBRARY_PATH not set in debian package) CVE-2012-0882 RESERVED CVE-2012-0881 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r18542 - data/CVE
Author: sf Date: 2012-02-25 21:51:04 + (Sat, 25 Feb 2012) New Revision: 18542 Modified: data/CVE/list Log: apr no-dsa Modified: data/CVE/list === --- data/CVE/list 2012-02-25 16:10:40 UTC (rev 18541) +++ data/CVE/list 2012-02-25 21:51:04 UTC (rev 18542) @@ -1008,6 +1008,7 @@ - libxml2 unfixed (bug #660846) CVE-2012-0840 (tables/apr_hash.c in the Apache Portable Runtime (APR) library through ...) - apr unfixed (low; bug #655435) + [squeeze] - apr no-dsa (exploitability in httpd extremely limited, not known to be exploitable in svn) NOTE: Commit http://mail-archives.apache.org/mod_mbox/apr-commits/201201.mbox/%3c20120115003715.071d42388...@eris.apache.org%3E seems to cause regressions CVE-2012-0839 (OCaml 3.12.1 and earlier computes hash values without restricting the ...) - ocaml unfixed (low; bug #659149) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r18384 - bin
Author: sf Date: 2012-02-06 08:01:25 + (Mon, 06 Feb 2012) New Revision: 18384 Modified: bin/gen-DSA Log: clarify usage Modified: bin/gen-DSA === --- bin/gen-DSA 2012-02-06 07:56:52 UTC (rev 18383) +++ bin/gen-DSA 2012-02-06 08:01:25 UTC (rev 18384) @@ -32,7 +32,9 @@ } [ $# -ge 2 ] || { -echo usage: $0 [--save] [DSA] package vulnerability [cve(s) [bugnumber]] 2 +echo usage: $0 [--save] [DSA] package 'vulnerability desc' [cve(s) [bugnumber]] 2 +echo'DSA' is the DSA number without the leading 'DSA-' prefix 2 +echo'cve(s)' must be a space separated list in one arg 2 exit 1 } ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r18385 - data/DSA
Author: sf Date: 2012-02-06 08:56:10 + (Mon, 06 Feb 2012) New Revision: 18385 Modified: data/DSA/list Log: fix version Modified: data/DSA/list === --- data/DSA/list 2012-02-06 08:01:25 UTC (rev 18384) +++ data/DSA/list 2012-02-06 08:56:10 UTC (rev 18385) @@ -1,6 +1,6 @@ [06 Feb 2012] DSA-2405-1 apache2 - multiple issues {CVE-2011-3368 CVE-2011-3607 CVE-2011-3639 CVE-2011-4317 CVE-2012-0031 CVE-2012-0053} - [squeeze] - apache2 2.2.16-6+squeeze5 + [squeeze] - apache2 2.2.16-6+squeeze6 [lenny] - apache2 2.2.9-10+lenny12 [05 Feb 2012] DSA-2404-1 xen-qemu-dm-4.0 - buffer overflow {CVE-2012-0029} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r17687 - data/CVE
Author: sf Date: 2011-11-26 19:40:24 + (Sat, 26 Nov 2011) New Revision: 17687 Modified: data/CVE/list Log: apache2: one issue unimportant, two new variants of a previous issue Modified: data/CVE/list === --- data/CVE/list 2011-11-26 15:44:33 UTC (rev 17686) +++ data/CVE/list 2011-11-26 19:40:24 UTC (rev 17687) @@ -347,7 +347,8 @@ CVE-2011-4416 RESERVED CVE-2011-4415 (The ap_pregsub function in server/util.c in the Apache HTTP Server ...) - - apache2 unfixed + - apache2 unfixed (unimportant) + NOTE: apache2 does not protect or claim to protect against DoS through .htaccess CVE-2011-4414 RESERVED CVE-2011-4413 @@ -569,8 +570,10 @@ RESERVED - dovecot unfixed (unimportant; bug #649511) NOTE: Additional hardening -CVE-2011-4317 +CVE-2011-4317 [mod_proxy/mod_rewrite insufficient sanitization of invalid URLs] RESERVED + - apache2 unfixed + NOTE: Related to CVE-2011-3368 and CVE-2011-3639 but a different issue CVE-2011-4316 RESERVED CVE-2011-4315 @@ -2609,8 +2612,10 @@ [lenny] - chromium-browser no-dsa (attacker needs to get malicious file into cwd first) [squeeze] - chromium-browser no-dsa (attacker needs to get malicious file into cwd first) NOTE: http://seclists.org/fulldisclosure/2011/Oct/734 -CVE-2011-3639 +CVE-2011-3639 [mod_proxy/mod_rewrite insufficient URI sanitization with HTTP/0.9 and pre 2.2.18] RESERVED + - apache2 2.2.18-1 + NOTE: Related to CVE-2011-3368 and CVE-2011-4317 but a different issue CVE-2011-3638 RESERVED - linux-2.6 3.0.0-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r17412 - data/CVE
Author: sf Date: 2011-10-11 21:42:44 + (Tue, 11 Oct 2011) New Revision: 17412 Modified: data/CVE/list Log: apache2 fixed Modified: data/CVE/list === --- data/CVE/list 2011-10-11 21:14:20 UTC (rev 17411) +++ data/CVE/list 2011-10-11 21:42:44 UTC (rev 17412) @@ -1770,7 +1770,7 @@ CVE-2011-3369 (The add_conversation function in conversations.c in EtherApe before ...) TODO: check CVE-2011-3368 (The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, ...) - - apache2 unfixed (medium) + - apache2 2.2.21-2 (medium) NOTE: http://article.gmane.org/gmane.comp.apache.announce/61 CVE-2011-3367 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r17298 - data/CVE
Author: sf Date: 2011-09-26 17:01:40 + (Mon, 26 Sep 2011) New Revision: 17298 Modified: data/CVE/list Log: CVE-2011-3348 fixed in unstable and in next stable point release Modified: data/CVE/list === --- data/CVE/list 2011-09-26 12:35:48 UTC (rev 17297) +++ data/CVE/list 2011-09-26 17:01:40 UTC (rev 17298) @@ -695,7 +695,8 @@ RESERVED - lightdm 0.9.6-1 (bug #639151) CVE-2011-3348 (The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when ...) - - apache2 unfixed + - apache2 2.2.21-1 + [squeeze] - apache2 2.2.16-6+squeeze4 [lenny] - apache2 not-affected (introduced in 2.2.12) CVE-2011-3347 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r17254 - data/CVE
Author: sf Date: 2011-09-17 11:26:50 + (Sat, 17 Sep 2011) New Revision: 17254 Modified: data/CVE/list Log: CVE-2011-3348 does not affect lenny Modified: data/CVE/list === --- data/CVE/list 2011-09-16 21:14:18 UTC (rev 17253) +++ data/CVE/list 2011-09-17 11:26:50 UTC (rev 17254) @@ -376,6 +376,7 @@ CVE-2011-3348 [mod_proxy_ajp when combined with mod_proxy_balancer: DoS] RESERVED - apache2 unfixed + [lenny] - apache2 not-affected (introduced in 2.2.12) CVE-2011-3347 RESERVED CVE-2011-3346 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r17136 - data/CVE
Author: sf Date: 2011-08-29 15:53:31 + (Mon, 29 Aug 2011) New Revision: 17136 Modified: data/CVE/list Log: apache2 CVE-2011-3192 fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2011-08-29 15:09:49 UTC (rev 17135) +++ data/CVE/list 2011-08-29 15:53:31 UTC (rev 17136) @@ -173,7 +173,7 @@ RESERVED CVE-2011-3192 [byterange filter memory exhaustion DoS] RESERVED - - apache2 unfixed + - apache2 2.2.19-2 CVE-2011-3191 RESERVED - linux-2.6 unfixed ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r17137 - data/CVE
Author: sf Date: 2011-08-29 18:57:51 + (Mon, 29 Aug 2011) New Revision: 17137 Modified: data/CVE/list Log: CVE-2010-2791 was actually fixed before lenny release Modified: data/CVE/list === --- data/CVE/list 2011-08-29 15:53:31 UTC (rev 17136) +++ data/CVE/list 2011-08-29 18:57:51 UTC (rev 17137) @@ -14281,7 +14281,7 @@ CVE-2010-2792 (Race condition in the SPICE (aka spice-xpi) plug-in 2.2 for Firefox ...) NOT-FOR-US: SPICE plugin for Firefox CVE-2010-2791 (mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, ...) - - apache2 2.2.10-1 (low) + - apache2 2.2.9-10 (low) CVE-2010-2790 (Multiple cross-site scripting (XSS) vulnerabilities in the formatQuery ...) - zabbix 1:1.8.3-1 (bug #594304) [squeeze] - zabbix 1:1.8.2-1squeeze1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r17138 - in data: CVE DSA
Author: sf Date: 2011-08-29 21:16:03 + (Mon, 29 Aug 2011) New Revision: 17138 Modified: data/CVE/list data/DSA/list Log: apache2 DSA Modified: data/CVE/list === --- data/CVE/list 2011-08-29 18:57:51 UTC (rev 17137) +++ data/CVE/list 2011-08-29 21:16:03 UTC (rev 17138) @@ -18068,7 +18068,7 @@ - piwik itp (bug #506933) CVE-2010-1452 (The (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server ...) - apache2 2.2.16-1 (low) - [lenny] - apache2 no-dsa (mod_cache not affected and mod_dav is easy to DoS anyway) + [lenny] - apache2 2.2.9-10+lenny10 CVE-2010-1451 (The TSB I-TLB load implementation in arch/sparc/kernel/tsb.S in the ...) {DSA-2053-1} - linux-2.6 2.6.32-10 Modified: data/DSA/list === --- data/DSA/list 2011-08-29 18:57:51 UTC (rev 17137) +++ data/DSA/list 2011-08-29 21:16:03 UTC (rev 17138) @@ -1,3 +1,7 @@ +[29 Aug 2011] DSA-2298-1 apache2 - denial of service + {CVE-2011-3192} + [lenny] - apache2 2.2.9-10+lenny10 + [squeeze] - apache2 2.2.16-6+squeeze2 [21 Aug 2011] DSA-2297-1 icedove - several {CVE-2011-0084 CVE-2011-2378 CVE-2011-2981 CVE-2011-2982 CVE-2011-2983 CVE-2011-2984 } [squeeze] - icedove 3.0.11-1+squeeze4 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r16665 - data/DSA
Author: sf Date: 2011-05-15 08:54:41 + (Sun, 15 May 2011) New Revision: 16665 Modified: data/DSA/list Log: apr DSA Modified: data/DSA/list === --- data/DSA/list 2011-05-12 21:15:15 UTC (rev 16664) +++ data/DSA/list 2011-05-15 08:54:41 UTC (rev 16665) @@ -1,3 +1,7 @@ +[15 May 2011] DSA-2237-1 apr - denial of service + {CVE-2011-0419} + [lenny] - apr 1.2.12-5+lenny3 + [squeeze] - apr 1.4.2-6+squeeze1 [12 May 2011] DSA-2236-1 exim4 - command injection {CVE-2011-1407} [squeeze] - exim4 4.72-6+squeeze2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r16663 - data/CVE
Author: sf Date: 2011-05-12 20:51:38 + (Thu, 12 May 2011) New Revision: 16663 Modified: data/CVE/list Log: apache issue is actually in apr and fixed Modified: data/CVE/list === --- data/CVE/list 2011-05-12 20:33:19 UTC (rev 16662) +++ data/CVE/list 2011-05-12 20:51:38 UTC (rev 16663) @@ -4508,9 +4508,9 @@ [lenny] - php5 not-affected (intl extension added in 5.3) [squeeze] - php5 no-dsa (Minor issue) NOTE: http://svn.php.net/viewvc?view=revisionrevision=306449 -CVE-2011-0419 +CVE-2011-0419 [DoS in apr_fnmatch] RESERVED - - apache2 unfixed + - apr 1.4.4-1 (low) CVE-2011-0418 RESERVED CVE-2011-0417 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r16425 - data/DSA
Author: sf Date: 2011-03-23 22:11:43 + (Wed, 23 Mar 2011) New Revision: 16425 Modified: data/DSA/list Log: upcoming apache2 DSA Modified: data/DSA/list === --- data/DSA/list 2011-03-23 21:53:23 UTC (rev 16424) +++ data/DSA/list 2011-03-23 22:11:43 UTC (rev 16425) @@ -1,3 +1,6 @@ +[23 Mar 2011] DSA-2202-1 apache2 - failure to drop root privileges + {CVE-2011-1176} + [squeeze] - apache2 2.2.16-6+squeeze1 [23 Mar 2011] DSA-2201-1 wireshark - several {CVE-2011-0538 CVE-2011-0713 CVE-2011-1139 CVE-2011-1140 CVE-2011-1141} [lenny] - wireshark 1.0.2-3+lenny13 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r16415 - data/CVE
Author: sf Date: 2011-03-22 20:43:27 + (Tue, 22 Mar 2011) New Revision: 16415 Modified: data/CVE/list Log: apache2 fixed Modified: data/CVE/list === --- data/CVE/list 2011-03-22 16:25:30 UTC (rev 16414) +++ data/CVE/list 2011-03-22 20:43:27 UTC (rev 16415) @@ -717,7 +717,7 @@ RESERVED CVE-2011-1176 [apache2-mpm-itk config misparsing] RESERVED - - apache2 unfixed (bug #618857; medium) + - apache2 2.2.17-2 (bug #618857; medium) [lenny] - apache2 not-affected (different source package in lenny: apache2-mpm-itk) [lenny] - apache2-mpm-itk not-affected (bug was introduced later, in 2.2.11-01) CVE-2011-1175 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r16405 - data/CVE
Author: sf Date: 2011-03-20 13:49:56 + (Sun, 20 Mar 2011) New Revision: 16405 Modified: data/CVE/list Log: new apache2-mpm-itk issue Modified: data/CVE/list === --- data/CVE/list 2011-03-20 09:15:30 UTC (rev 16404) +++ data/CVE/list 2011-03-20 13:49:56 UTC (rev 16405) @@ -1,3 +1,7 @@ +CVE-2011- [apache2-mpm-itk config misparsing] + - apache2 unfixed (bug #618857; medium) + [lenny] - apache2 not-affected (different source package in lenny: apache2-mpm-itk) + [lenny] - apache2-mpm-itk not-affected (bug was introduced later, in 2.2.11-01) CVE-2011-1432 (The STARTTLS implementation in SCO SCOoffice Server does not properly ...) TODO: check CVE-2011-1431 (The STARTTLS implementation in qmail-smtpd.c in qmail-smtpd in the ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r16008 - data/DSA
Author: sf Date: 2011-01-30 10:22:46 + (Sun, 30 Jan 2011) New Revision: 16008 Modified: data/DSA/list Log: add linux-2.6 DSA Modified: data/DSA/list === --- data/DSA/list 2011-01-30 10:10:16 UTC (rev 16007) +++ data/DSA/list 2011-01-30 10:22:46 UTC (rev 16008) @@ -1,3 +1,7 @@ +[30 Jan 2011] DSA-2153-1 linux-2.6 - several issues + {CVE-2010-0435 CVE-2010-3699 CVE-2010-4158 CVE-2010-4162 CVE-2010-4163 CVE-2010-4242 CVE-2010-4243 CVE-2010-4248 CVE-2010-4249 CVE-2010-4258 CVE-2010-4342 CVE-2010-4346 CVE-2010-4526 CVE-2010-4527 CVE-2010-4529 CVE-2010-4565 CVE-2010-4649 CVE-2010-4656 CVE-2010-4668 CVE-2011-0521} + [lenny] - linux-2.6 2.6.26-26lenny2 + [lenny] - user-mode-linux 2.6.26-1um-2+26lenny2 [27 Jan 2011] DSA-2152-1 hplip - buffer overflow {CVE-2010-4267} [lenny] - hplip 2.8.6.b-4+lenny1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r16009 - data/DSA
Author: sf Date: 2011-01-30 10:30:11 + (Sun, 30 Jan 2011) New Revision: 16009 Modified: data/DSA/list Log: add exim4 DSA Modified: data/DSA/list === --- data/DSA/list 2011-01-30 10:22:46 UTC (rev 16008) +++ data/DSA/list 2011-01-30 10:30:11 UTC (rev 16009) @@ -1,3 +1,6 @@ +[30 Jan 2011] DSA-2154-1 exim4 - privilege escalation + {CVE-2010-4345 CVE-2011-0017} + [lenny] - exim4 4.69-9+lenny3 [30 Jan 2011] DSA-2153-1 linux-2.6 - several issues {CVE-2010-0435 CVE-2010-3699 CVE-2010-4158 CVE-2010-4162 CVE-2010-4163 CVE-2010-4242 CVE-2010-4243 CVE-2010-4248 CVE-2010-4249 CVE-2010-4258 CVE-2010-4342 CVE-2010-4346 CVE-2010-4526 CVE-2010-4527 CVE-2010-4529 CVE-2010-4565 CVE-2010-4649 CVE-2010-4656 CVE-2010-4668 CVE-2011-0521} [lenny] - linux-2.6 2.6.26-26lenny2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r15878 - / org
Author: sf Date: 2011-01-15 11:36:27 + (Sat, 15 Jan 2011) New Revision: 15878 Added: org/ org/security-frontdesk.2011.txt Log: commit (nearly) empty schedule for frontdesk Added: org/security-frontdesk.2011.txt === --- org/security-frontdesk.2011.txt (rev 0) +++ org/security-frontdesk.2011.txt 2011-01-15 11:36:27 UTC (rev 15878) @@ -0,0 +1,50 @@ +Week 03: 01-17 to 01-23: jmm +Week 04: 01-24 to 01-30: +Week 05: 01-31 to 02-06: +Week 06: 02-07 to 02-13: +Week 07: 02-14 to 02-20: +Week 08: 02-21 to 02-27: +Week 09: 02-28 to 03-06: +Week 10: 03-07 to 03-13: +Week 11: 03-14 to 03-20: +Week 12: 03-21 to 03-27: +Week 13: 03-28 to 04-03: +Week 14: 04-04 to 04-10: +Week 15: 04-11 to 04-17: +Week 16: 04-18 to 04-24: +Week 17: 04-25 to 05-01: +Week 18: 05-02 to 05-08: +Week 19: 05-09 to 05-15: +Week 20: 05-16 to 05-22: +Week 21: 05-23 to 05-29: +Week 22: 05-30 to 06-05: +Week 23: 06-06 to 06-12: +Week 24: 06-13 to 06-19: +Week 25: 06-20 to 06-26: +Week 26: 06-27 to 07-03: +Week 27: 07-04 to 07-10: +Week 28: 07-11 to 07-17: +Week 29: 07-18 to 07-24: +Week 30: 07-25 to 07-31: +Week 31: 08-01 to 08-07: +Week 32: 08-08 to 08-14: +Week 33: 08-15 to 08-21: +Week 34: 08-22 to 08-28: +Week 35: 08-29 to 09-04: +Week 36: 09-05 to 09-11: +Week 37: 09-12 to 09-18: +Week 38: 09-19 to 09-25: +Week 39: 09-26 to 10-02: +Week 40: 10-03 to 10-09: +Week 41: 10-10 to 10-16: +Week 42: 10-17 to 10-23: +Week 43: 10-24 to 10-30: +Week 44: 10-31 to 11-06: +Week 45: 11-07 to 11-13: +Week 46: 11-14 to 11-20: +Week 47: 11-21 to 11-27: +Week 48: 11-28 to 12-04: +Week 49: 12-05 to 12-11: +Week 50: 12-12 to 12-18: +Week 51: 12-19 to 12-25: +Week 52: 12-26 to 01-01: ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r15889 - data/CVE
Author: sf Date: 2011-01-16 01:17:11 + (Sun, 16 Jan 2011) New Revision: 15889 Modified: data/CVE/list Log: slowloris is no-DSA for lenny Modified: data/CVE/list === --- data/CVE/list 2011-01-16 01:06:01 UTC (rev 15888) +++ data/CVE/list 2011-01-16 01:17:11 UTC (rev 15889) @@ -21978,6 +21978,7 @@ CVE-2009- [slowloris denial-of-service vulnerabilty in webservers] - apache2 2.2.15-3 (medium; bug #533661) - apache removed (medium; bug #533662) + [lenny] - apache2 no-dsa (Minor issue) - squid not-affected - squid3 not-affected NOTE: http://www.squid-cache.org/bugs/show_bug.cgi?id=2694 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r15853 - data/CVE
Author: sf Date: 2011-01-14 20:33:09 + (Fri, 14 Jan 2011) New Revision: 15853 Modified: data/CVE/list Log: remove all traces of DSA-2141-3 Modified: data/CVE/list === --- data/CVE/list 2011-01-14 20:15:21 UTC (rev 15852) +++ data/CVE/list 2011-01-14 20:33:09 UTC (rev 15853) @@ -17134,10 +17134,9 @@ - linux-2.6 not-affected (redhat-specific configuration issue) - linux-2.6.24 not-affected (redhat-specific configuration issue) CVE-2009-3555 (The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as ...) - {DSA-2141-3 DSA-2141-2 DSA-2141-1 DSA-1934-1} + {DSA-2141-2 DSA-2141-1 DSA-1934-1} - apache2 2.2.14-2 - openssl 0.9.8k-6 - [lenny] - openssl no-dsa (fix changes functionality, can be fixed in point release) - nss 3.12.6-1 - sun-java5 removed - sun-java6 6.19-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r15818 - data/DTSA
Author: sf Date: 2011-01-07 20:50:47 + (Fri, 07 Jan 2011) New Revision: 15818 Modified: data/DTSA/list Log: note test DTSA Modified: data/DTSA/list === --- data/DTSA/list 2011-01-07 19:11:47 UTC (rev 15817) +++ data/DTSA/list 2011-01-07 20:50:47 UTC (rev 15818) @@ -616,3 +616,6 @@ [April 2nd, 2010] DTSA-206-1 netpbm-free - buffer overflow {CVE-2009-4274} [squeeze] - netpbm-free 2:10.0-12.1+squeeze1 +[January 7th, 2011] DTSA-207-1 mediawiki - clickjacking + {CVE-2011-0003} + [squeeze] - mediawiki 1:1.15.5-2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r15793 - data/DSA
Author: sf Date: 2011-01-05 21:31:25 + (Wed, 05 Jan 2011) New Revision: 15793 Modified: data/DSA/list Log: libapache2-mod-fcgid DSA Modified: data/DSA/list === --- data/DSA/list 2011-01-05 09:35:57 UTC (rev 15792) +++ data/DSA/list 2011-01-05 21:31:25 UTC (rev 15793) @@ -1,3 +1,6 @@ +[05 Jan 2010] DSA-2140-1 libapache2-mod-fcgid - stack overflow + {CVE-2010-3872} + [lenny] - libapache2-mod-fcgid 1:2.2-1+lenny1 [31 Dec 2010] DSA-2139-1 phpmyadmin - several {CVE-2010-4329 CVE-2010-4480 CVE-2010-4481} [lenny] - phpmyadmin 4:2.11.8.1-5+lenny7 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r15796 - data/DSA
Author: sf Date: 2011-01-05 23:02:24 + (Wed, 05 Jan 2011) New Revision: 15796 Modified: data/DSA/list Log: add upcoming ssl reneg DSAs Modified: data/DSA/list === --- data/DSA/list 2011-01-05 22:05:14 UTC (rev 15795) +++ data/DSA/list 2011-01-05 23:02:24 UTC (rev 15796) @@ -1,3 +1,9 @@ +[05 Jan 2010] DSA-2141-2 nss - protocol design flaw + {CVE-2009-3555} + [lenny] - nss 3.12.3.1-0lenny3 +[05 Jan 2010] DSA-2141-1 openssl - protocol design flaw + {CVE-2009-3555 CVE-2010-4180} + [lenny] - openssl 0.9.8g-15+lenny11 [05 Jan 2010] DSA-2140-1 libapache2-mod-fcgid - stack overflow {CVE-2010-3872} [lenny] - libapache2-mod-fcgid 1:2.2-1+lenny1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r15798 - data/DSA
Author: sf Date: 2011-01-06 00:09:50 + (Thu, 06 Jan 2011) New Revision: 15798 Modified: data/DSA/list Log: fix dates Modified: data/DSA/list === --- data/DSA/list 2011-01-06 00:07:52 UTC (rev 15797) +++ data/DSA/list 2011-01-06 00:09:50 UTC (rev 15798) @@ -1,7 +1,7 @@ -[05 Jan 2010] DSA-2141-2 nss - protocol design flaw +[06 Jan 2010] DSA-2141-2 nss - protocol design flaw {CVE-2009-3555} [lenny] - nss 3.12.3.1-0lenny3 -[05 Jan 2010] DSA-2141-1 openssl - protocol design flaw +[06 Jan 2010] DSA-2141-1 openssl - protocol design flaw {CVE-2009-3555 CVE-2010-4180} [lenny] - openssl 0.9.8g-15+lenny11 [05 Jan 2010] DSA-2140-1 libapache2-mod-fcgid - stack overflow ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r15799 - data/DSA
Author: sf Date: 2011-01-06 00:13:06 + (Thu, 06 Jan 2011) New Revision: 15799 Modified: data/DSA/list Log: fix dates, second try Modified: data/DSA/list === --- data/DSA/list 2011-01-06 00:09:50 UTC (rev 15798) +++ data/DSA/list 2011-01-06 00:13:06 UTC (rev 15799) @@ -1,10 +1,10 @@ -[06 Jan 2010] DSA-2141-2 nss - protocol design flaw +[06 Jan 2011] DSA-2141-2 nss - protocol design flaw {CVE-2009-3555} [lenny] - nss 3.12.3.1-0lenny3 -[06 Jan 2010] DSA-2141-1 openssl - protocol design flaw +[06 Jan 2011] DSA-2141-1 openssl - protocol design flaw {CVE-2009-3555 CVE-2010-4180} [lenny] - openssl 0.9.8g-15+lenny11 -[05 Jan 2010] DSA-2140-1 libapache2-mod-fcgid - stack overflow +[05 Jan 2011] DSA-2140-1 libapache2-mod-fcgid - stack overflow {CVE-2010-3872} [lenny] - libapache2-mod-fcgid 1:2.2-1+lenny1 [31 Dec 2010] DSA-2139-1 phpmyadmin - several ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r15451 - data/CVE
Author: sf Date: 2010-10-10 18:45:57 + (Sun, 10 Oct 2010) New Revision: 15451 Modified: data/CVE/list Log: CVE-2010-1623 does not affect apache2 in lenny Modified: data/CVE/list === --- data/CVE/list 2010-10-10 17:10:27 UTC (rev 15450) +++ data/CVE/list 2010-10-10 18:45:57 UTC (rev 15451) @@ -5840,6 +5840,7 @@ {DSA-2117-1} - apr-util 1.3.9+dfsg-4 (medium) - apache2 2.2.16-3 + [lenny] - apache2 not-affected (vulnerable code introduced in 2.2.15-2 or -3) CVE-2010-1622 (SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before ...) - libspring-2.5-java 2.5.6.SEC02-1 (medium) CVE-2010-1621 (The mysql_uninstall_plugin function in sql/sql_plugin.cc in MySQL ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r15418 - data
Author: sf Date: 2010-10-04 20:01:42 + (Mon, 04 Oct 2010) New Revision: 15418 Modified: data/embedded-code-copies Log: some more packages link libbz2 statically. Thanks to Silvio Cesare Modified: data/embedded-code-copies === --- data/embedded-code-copies 2010-10-04 17:16:10 UTC (rev 15417) +++ data/embedded-code-copies 2010-10-04 20:01:42 UTC (rev 15418) @@ -171,6 +171,11 @@ NOTE: libclamav/nsis/bzlib* - pristine-tar unfixable (modified-embed) NOTE: compression code only, not uncompression + - r-base-core-ra unfixed (static) + - r-base-core unfixed (static) + NOTE: seem to link dynamically in squeeze, but needs verification + - rpm unfixed (static) + NOTE: lsb-rpm package is statically linked, normal rpm links dynamically libyahoo2 - centerim unfixed (embed; bug #559783) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r15419 - data
Author: sf Date: 2010-10-04 20:45:31 + (Mon, 04 Oct 2010) New Revision: 15419 Modified: data/embedded-code-copies Log: verified that r-base links libbz2 dynamically in squeeze but it also embeds liblzma, bug filed Modified: data/embedded-code-copies === --- data/embedded-code-copies 2010-10-04 20:01:42 UTC (rev 15418) +++ data/embedded-code-copies 2010-10-04 20:45:31 UTC (rev 15419) @@ -171,9 +171,9 @@ NOTE: libclamav/nsis/bzlib* - pristine-tar unfixable (modified-embed) NOTE: compression code only, not uncompression - - r-base-core-ra unfixed (static) - - r-base-core unfixed (static) - NOTE: seem to link dynamically in squeeze, but needs verification + - r-base-core-ra 1.2.8 (static) + - r-base-core 2.11.1 (static) + NOTE: links dynamically in squeeze, statically in lenny - rpm unfixed (static) NOTE: lsb-rpm package is statically linked, normal rpm links dynamically @@ -628,6 +628,8 @@ lzma - p7zip unfixed (embed) - xz-utils unfixed (fork) + - r-base unfixed (embed) + NOTE: lzma support not yet in lenny or in r-base-core-ra 1.2.8 lzo - grub2 unfixed (embed) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r15409 - data/CVE
Author: sf Date: 2010-10-01 16:45:49 + (Fri, 01 Oct 2010) New Revision: 15409 Modified: data/CVE/list Log: new apr-util issue fixed Modified: data/CVE/list === --- data/CVE/list 2010-10-01 04:05:47 UTC (rev 15408) +++ data/CVE/list 2010-10-01 16:45:49 UTC (rev 15409) @@ -5502,8 +5502,9 @@ - pidgin 2.7.0-1 (low) [lenny] - pidgin 2.4.3-4lenny6 NOTE: MSN support was disabled in 2.4.3-4lenny6 -CVE-2010-1623 +CVE-2010-1623 [DoS through mem usage] RESERVED + - apr-util 1.3.9+dfsg-4 (medium) CVE-2010-1622 (SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before ...) - libspring-2.5-java 2.5.6.SEC02-1 (medium) CVE-2010-1621 (The mysql_uninstall_plugin function in sql/sql_plugin.cc in MySQL ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r15372 - data/CVE
Author: sf Date: 2010-09-24 18:41:24 + (Fri, 24 Sep 2010) New Revision: 15372 Modified: data/CVE/list Log: mark dpkg signature verification issue as unimportant Modified: data/CVE/list === --- data/CVE/list 2010-09-23 21:29:57 UTC (rev 15371) +++ data/CVE/list 2010-09-24 18:41:24 UTC (rev 15372) @@ -343,7 +343,7 @@ CVE-2010- [pin shown locally in cleartext] - network-manager unfixed (low; bug #592364) CVE-2010- [signature verification issue] - - dpkg 1.15.1 (low; bug #592115) + - dpkg 1.15.1 (unimportant; bug #592115) CVE-2010- [recipient domain checks in exim acl] - greylistd 0.8.7+nmu2 (low; bug #591678) CVE-2008- [greylistd bypass] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r15199 - data
Author: sf Date: 2010-08-24 19:56:46 + (Tue, 24 Aug 2010) New Revision: 15199 Modified: data/embedded-code-copies Log: unalz now uses system's libbz2 Modified: data/embedded-code-copies === --- data/embedded-code-copies 2010-08-24 15:07:08 UTC (rev 15198) +++ data/embedded-code-copies 2010-08-24 19:56:46 UTC (rev 15199) @@ -165,7 +165,7 @@ NOTE: let's call it static - dar unfixed (static) - dump unfixed (static) - - unalz unfixed (embed) + - unalz 0.64-1 (embed) NOTE: has code, by the maint, to use the system version but links against the internal copy libyahoo2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r15077 - data/CVE
Author: sf Date: 2010-07-31 10:10:04 + (Sat, 31 Jul 2010) New Revision: 15077 Modified: data/CVE/list Log: - new old apache2 issue - apache2 no-dsa Modified: data/CVE/list === --- data/CVE/list 2010-07-30 21:14:52 UTC (rev 15076) +++ data/CVE/list 2010-07-31 10:10:04 UTC (rev 15077) @@ -293,8 +293,9 @@ RESERVED CVE-2010-2792 RESERVED -CVE-2010-2791 +CVE-2010-2791 [apache2 mod_proxy information leak] RESERVED + - apache2 2.2.10-1 (low) CVE-2010-2790 [zabbix XSS via formatQuery() of class.curl.php] RESERVED - zabbix unfixed @@ -3841,7 +3842,8 @@ CVE-2010-1453 (Cross-site scripting (XSS) vulnerability in the Login form in Piwik ...) - piwik itp (bug #506933) CVE-2010-1452 (The (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server ...) - - apache2 2.2.16-1 + - apache2 2.2.16-1 (low) + [lenny] - apache2 no-dsa (mod_cache not affected and mod_dav is easy to DoS anyway) CVE-2010-1451 (The TSB I-TLB load implementation in arch/sparc/kernel/tsb.S in the ...) {DSA-2053-1} - linux-2.6 2.6.32-10 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r15021 - data/CVE
Author: sf Date: 2010-07-24 20:42:21 + (Sat, 24 Jul 2010) New Revision: 15021 Modified: data/CVE/list Log: apache2 issue fixed Modified: data/CVE/list === --- data/CVE/list 2010-07-23 21:14:19 UTC (rev 15020) +++ data/CVE/list 2010-07-24 20:42:21 UTC (rev 15021) @@ -3567,8 +3567,9 @@ NOT-FOR-US: VMware CVE-2010-1453 (Cross-site scripting (XSS) vulnerability in the Login form in Piwik ...) - piwik itp (bug #506933) -CVE-2010-1452 +CVE-2010-1452 [apache mod_dav/mod_cache DoS] RESERVED + - apache2 2.2.16-1 CVE-2010-1451 (The TSB I-TLB load implementation in arch/sparc/kernel/tsb.S in the ...) {DSA-2053-1} - linux-2.6 2.6.32-10 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r14999 - data/CVE
Author: sf Date: 2010-07-16 20:51:40 + (Fri, 16 Jul 2010) New Revision: 14999 Modified: data/CVE/list Log: slowloris issue is fixed in apache2 Modified: data/CVE/list === --- data/CVE/list 2010-07-16 17:39:29 UTC (rev 14998) +++ data/CVE/list 2010-07-16 20:51:40 UTC (rev 14999) @@ -15485,7 +15485,7 @@ [etch] - pcsc-lite not-affected (directory introduced in 1.5.0) [lenny] - pcsc-lite not-affected (directory introduced in 1.5.0) CVE-2009- [slowloris denial-of-service vulnerabilty in webservers] - - apache2 unfixed (medium; bug #533661) + - apache2 2.2.15-3 (medium; bug #533661) - apache removed (medium; bug #533662) - squid not-affected - squid3 not-affected ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r14861 - data/CVE
Author: sf Date: 2010-06-11 20:18:10 + (Fri, 11 Jun 2010) New Revision: 14861 Modified: data/CVE/list Log: apache2 not affected Modified: data/CVE/list === --- data/CVE/list 2010-06-11 08:22:30 UTC (rev 14860) +++ data/CVE/list 2010-06-11 20:18:10 UTC (rev 14861) @@ -476,8 +476,9 @@ RESERVED CVE-2010-2069 RESERVED -CVE-2010-2068 +CVE-2010-2068 [mod_proxy_http request mixup on timeout] RESERVED + - apache2 not-affected (does not affect UNIX, only Windows, etc.) CVE-2010-2067 RESERVED CVE-2010-2066 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r14173 - data/CVE
Author: sf Date: 2010-03-02 19:09:53 + (Tue, 02 Mar 2010) New Revision: 14173 Modified: data/CVE/list Log: new apache issues Modified: data/CVE/list === --- data/CVE/list 2010-03-02 14:15:58 UTC (rev 14172) +++ data/CVE/list 2010-03-02 19:09:53 UTC (rev 14173) @@ -881,8 +881,9 @@ CVE-2010-0426 (sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a ...) - sudo 1.7.2p1-1.1 (bug #570737) NOTE: http://www.openwall.com/lists/oss-security/2010/02/23/4 -CVE-2010-0425 +CVE-2010-0425 [apache mod_isapi DoS] RESERVED + - apache2 not-affected (Windows only) CVE-2010-0424 (The edit_cmd function in crontab.c in (1) cronie before 1.4.4 and (2) ...) TODO: check CVE-2010-0423 (gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a ...) @@ -927,8 +928,11 @@ CVE-2010-0409 (Buffer overflow in the GMIME_UUENCODE_LEN macro in ...) - gmime2.2 unfixed (bug #568291) - gmime2.4 unfixed (bug #568291) -CVE-2010-0408 +CVE-2010-0408 [apache2 mod_proxy_ajp DoS] RESERVED + - apache2 unfixed (low) + [lenny] - apache2 no-dsa (minor issue) + NOTE: Will be fixed in s-p-u CVE-2010-0407 RESERVED CVE-2010-0406 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r13873 - data/DSA
Author: sf Date: 2010-01-21 16:12:07 + (Thu, 21 Jan 2010) New Revision: 13873 Modified: data/DSA/list Log: add DSA-1972 etch package Modified: data/DSA/list === --- data/DSA/list 2010-01-21 12:06:30 UTC (rev 13872) +++ data/DSA/list 2010-01-21 16:12:07 UTC (rev 13873) @@ -11,6 +11,7 @@ [17 Jan 2010] DSA-1972-1 audiofile - buffer overflow {CVE-2008-5824} [lenny] - audiofile 0.2.6-7+lenny1 + [etch] - audiofile 0.2.6-6+etch1 [15 Jan 2010] DSA-1971-1 libthai - arbitrary code execution {CVE-2009-4012} [etch] - libthai 0.1.6-1+etch1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r13867 - data/DSA
Author: sf Date: 2010-01-20 20:56:55 + (Wed, 20 Jan 2010) New Revision: 13867 Modified: data/DSA/list Log: reserve DSA id Modified: data/DSA/list === --- data/DSA/list 2010-01-20 14:59:35 UTC (rev 13866) +++ data/DSA/list 2010-01-20 20:56:55 UTC (rev 13867) @@ -1,3 +1,5 @@ +[20 Jan 2010] DSA-1975-1 etch - end of life + NOTE: End of life of etch is on Feb 15th [20 Jan 2010] DSA-1974-1 gzip - arbitrary code execution {CVE-2006-4334 CVE-2009-2624 CVE-2010-0001} [etch] - gzip 1.3.5-15+etch1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r13844 - data/CVE
Author: sf Date: 2010-01-17 10:14:53 + (Sun, 17 Jan 2010) New Revision: 13844 Modified: data/CVE/list Log: new apache 1.3 issue Modified: data/CVE/list === --- data/CVE/list 2010-01-17 09:37:10 UTC (rev 13843) +++ data/CVE/list 2010-01-17 10:14:53 UTC (rev 13844) @@ -1413,8 +1413,12 @@ - uzbl 0.0.0~git.20100105-1 (medium) NOTE: http://www.uzbl.org/news.php?id=22 NOTE: maintainer is aware of it -CVE-2010-0010 +CVE-2010-0010 [Apache httpd 1.3 mod_proxy integer overflow on 64bit archs] RESERVED + - apache unfixed (low) + NOTE: Exploitability is fairly limited: Can only be exploited by a malicious server, + NOTE: not by a client. No sane person uses apache 1.3 as forward proxy and in reverse + NOTE: proxy situations, the backend server is usually trusted, anyway. CVE-2010-0009 RESERVED CVE-2010-0008 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r13802 - data/CVE
Author: sf Date: 2010-01-13 18:58:11 + (Wed, 13 Jan 2010) New Revision: 13802 Modified: data/CVE/list Log: new openssl issue Modified: data/CVE/list === --- data/CVE/list 2010-01-13 18:48:55 UTC (rev 13801) +++ data/CVE/list 2010-01-13 18:58:11 UTC (rev 13802) @@ -989,8 +989,11 @@ NOT-FOR-US: IBM Rational ClearQuest CVE-2009-4356 (Multiple integer overflows in the jpeg.w5s and png.w5s filters in ...) NOT-FOR-US: Winamp -CVE-2009-4355 +CVE-2009-4355 [openssl/mod_ssl/php-curl memory leak] RESERVED + - openssl unfixed (low) + [etch] - openssl not-affected (affects only 0.9.8f and later) + NOTE: apache2 packages in squeeze/sid do not seem to allow exploit CVE-2009-4354 (TransWARE Active! mail 2003 build 2003.0139.0871 and earlier does not ...) NOT-FOR-US: TransWARE Active CVE-2009-4353 (The Mobile Edition of TransWARE Active! mail 2003 build 2003.0139.0871 ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r13621 - data
Author: sf Date: 2009-12-21 22:11:18 + (Mon, 21 Dec 2009) New Revision: 13621 Modified: data/problematic-packages Log: add polipo to problematic-packages Modified: data/problematic-packages === --- data/problematic-packages 2009-12-21 22:09:22 UTC (rev 13620) +++ data/problematic-packages 2009-12-21 22:11:18 UTC (rev 13621) @@ -9,7 +9,7 @@ mathtex: (Nov 2009) No reaction to remote code execution bugs in unstable since July. Only one upload, maintainer has no other packages. -SF: pinged maintainer on 2009-11-29 +pinged maintainer on 2009-11-29, maintainer reacted promptly @@ -40,3 +40,9 @@ swftools: (Nov 2009) Similar situation as with xpdf (it embeds a copy of xpdf). Removed from squeeze, no maintainer response in more than three months. + +--- + +polipo (Dec 2009) +maintainer seems inactive + ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r13522 - data
Author: sf Date: 2009-12-12 10:36:04 + (Sat, 12 Dec 2009) New Revision: 13522 Modified: data/embedded-code-copies Log: apr ships a copy of libtool Modified: data/embedded-code-copies === --- data/embedded-code-copies 2009-12-12 10:30:13 UTC (rev 13521) +++ data/embedded-code-copies 2009-12-12 10:36:04 UTC (rev 13522) @@ -1525,6 +1525,8 @@ - libgnucrypto-java unfixed (embed; bug #559788) libtool + - apr unfixed (static; bug #489625) + NOTE: ships copy of libtool in libapr1-dev; was 'embed' before 1.3.2-3 - arts unfixed (embed) - bochs unfixed (embed) - camserv unfixed (embed) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r13483 - data
Author: sf Date: 2009-12-07 22:57:01 + (Mon, 07 Dec 2009) New Revision: 13483 Modified: data/embedded-code-copies Log: another expat embed Modified: data/embedded-code-copies === --- data/embedded-code-copies 2009-12-07 21:14:22 UTC (rev 13482) +++ data/embedded-code-copies 2009-12-07 22:57:01 UTC (rev 13483) @@ -1071,6 +1071,7 @@ - python-xml unfixed (embed; bug #551940) [./extensions/expat/*] - python2.5 unfixed (embed; bug #553403) [./Modules/expat/*] - python2.4 unfixed (embed; bug #553403) + - python-4suite unfixed (embed; bug #516935) - wxwindows2.4 removed (embed) - wxwidgets2.6 unfixed (embed) - wxwidgets2.8 unfixed (embed) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r13399 - data
Author: sf Date: 2009-11-29 10:59:43 + (Sun, 29 Nov 2009) New Revision: 13399 Modified: data/problematic-packages Log: add mathtex to problematic packages Modified: data/problematic-packages === --- data/problematic-packages 2009-11-29 09:39:00 UTC (rev 13398) +++ data/problematic-packages 2009-11-29 10:59:43 UTC (rev 13399) @@ -6,6 +6,13 @@ +mathtex: (Nov 2009) +No reaction to remote code execution bugs in unstable since July. +Only one upload, maintainer has no other packages. +SF: pinged maintainer on 2009-11-29 + + + bugzilla: (June 2009) No reply to security bugs #514143 in unstable in 4 months. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r13397 - in data: CVE NMU
Author: sf Date: 2009-11-28 23:19:32 + (Sat, 28 Nov 2009) New Revision: 13397 Modified: data/CVE/list data/NMU/list Log: audiofile fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2009-11-28 21:49:29 UTC (rev 13396) +++ data/CVE/list 2009-11-28 23:19:32 UTC (rev 13397) @@ -13673,7 +13673,7 @@ CVE-2008-5745 (Integer overflow in quartz.dll in the DirectShow framework in ...) NOT-FOR-US: Microsoft CVE-2008-5824 (Heap-based buffer overflow in msadpcm.c in libaudiofile in audiofile ...) - - audiofile unfixed (medium; bug #510205) + - audiofile 0.2.6-7.1 (medium; bug #510205) CVE-2008-5744 (Array index error in the dahdi/tor2.c driver in Zaptel (aka DAHDI) ...) {DSA-1699-1} - zaptel 1:1.4.11~dfsg-3 (bug #510583) Modified: data/NMU/list === --- data/NMU/list 2009-11-28 21:49:29 UTC (rev 13396) +++ data/NMU/list 2009-11-28 23:19:32 UTC (rev 13397) @@ -177,3 +177,4 @@ 2009-11-09 libgd2 2.0.36~rc1~dfsg-3.1 2009-11-10 openldap 2.4.17-2.1 2009-11-21 gimp 2.6.7-1.1 +2009-11-29 audiofile 0.2.6-7.1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r13393 - data
Author: sf Date: 2009-11-27 18:26:46 + (Fri, 27 Nov 2009) New Revision: 13393 Modified: data/CVE-2009-3555 Log: nginx tls reneg disabled in unstable Modified: data/CVE-2009-3555 === --- data/CVE-2009-3555 2009-11-27 12:10:41 UTC (rev 13392) +++ data/CVE-2009-3555 2009-11-27 18:26:46 UTC (rev 13393) @@ -25,8 +25,8 @@ - proftpd-dfsg - Disabled SSL/TLS renegotiations in 1.3.2b-2 in unstable - apache2 - Disabled client-initiated SSL/TLS renegs in 2.2.14-2, only partial fix, also issued as DSA 1934 for stable - tomcat-native - 1.1.18-1 +- nginx: disabled renegotiation in 0.7.64-1 + patch at http://sysoev.ru/nginx/patch.cve-2009-3555.txt Candidates for modification: -- nginx: disables renegotiation in 0.7.64, bug #557873, - patch at http://sysoev.ru/nginx/patch.cve-2009-3555.txt - libapache-mod-ssl (oldstable only) bug #556942, no patch yet ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r13370 - data
Author: sf Date: 2009-11-24 22:14:59 + (Tue, 24 Nov 2009) New Revision: 13370 Modified: data/CVE-2009-3555 Log: more TLS updates Modified: data/CVE-2009-3555 === --- data/CVE-2009-3555 2009-11-24 21:14:14 UTC (rev 13369) +++ data/CVE-2009-3555 2009-11-24 22:14:59 UTC (rev 13370) @@ -20,9 +20,13 @@ - openjdk-6 - sun-java5 - sun-java6 -- libapache-mod-ssl (oldstable only) Applications, which have been modified: - proftpd-dfsg - Disabled SSL/TLS renegotiations in 1.3.2b-2 in unstable - apache2 - Disabled client-initiated SSL/TLS renegs in 2.2.14-2, only partial fix, also issued as DSA 1934 for stable -- tomcat-native - 1.1.18-1 \ No newline at end of file +- tomcat-native - 1.1.18-1 + +Candidates for modification: +- nginx: disables renegotiation in 0.7.64, bug #557873, + patch at http://sysoev.ru/nginx/patch.cve-2009-3555.txt +- libapache-mod-ssl (oldstable only) bug #556942, no patch yet ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r13185 - in data: . CVE
Author: sf Date: 2009-11-02 20:28:54 + (Mon, 02 Nov 2009) New Revision: 13185 Modified: data/CVE/list data/embedded-code-copies Log: apache and apr-util haven't used the embedded expat at least since etch Modified: data/CVE/list === --- data/CVE/list 2009-11-02 19:35:43 UTC (rev 13184) +++ data/CVE/list 2009-11-02 20:28:54 UTC (rev 13185) @@ -285,7 +285,6 @@ - matzana unfixed (low) - tdom unfixed (low) - udunits unfixed (low) - - apr-util unfixed (low) - ayttm unfixed (low) - cableswig unfixed (low) - cadaver unfixed (low) @@ -311,7 +310,6 @@ - kompozer unfixed (low) - vxl unfixed (low) - xulrunner unfixed (low) - - apache2 unfixed (low) - texlive-bin unfixed (low) - vnc4 unfixed (low) - xotcl unfixed (low) Modified: data/embedded-code-copies === --- data/embedded-code-copies 2009-11-02 19:35:43 UTC (rev 13184) +++ data/embedded-code-copies 2009-11-02 20:28:54 UTC (rev 13185) @@ -996,7 +996,7 @@ - matanza unfixed (embed) - tdom unfixed (embed) - udunits unfixed (embed) - - apr-util unfixed (embed) + - apr-util 1.2 (embed) - ayttm unfixed (embed) - cableswig unfixed (embed) - cadaver unfixed (embed) @@ -1023,7 +1023,7 @@ - kompozer unfixed (embed) - vxl unfixed (embed) - xulrunner unfixed (embed) - - apache2 unfixed (embed) + - apache2 2.2 (embed) - texlive-bin unfixed (embed) [included twice] - vnc4 unfixed (embed) - xotcl unfixed (embed) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r13096 - data/CVE
Author: sf Date: 2009-10-26 18:50:10 + (Mon, 26 Oct 2009) New Revision: 13096 Modified: data/CVE/list Log: mandos fixed Modified: data/CVE/list === --- data/CVE/list 2009-10-26 12:12:29 UTC (rev 13095) +++ data/CVE/list 2009-10-26 18:50:10 UTC (rev 13096) @@ -53,7 +53,7 @@ CVE-2009-3734 RESERVED CVE-2009- [mandos 0600 file being included in initrd] - - mandos unfixed (bug #551907) + - mandos 1.0.13-1 (bug #551907) TODO: determine real impact CVE-2009-3733 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r12939 - data/CVE
Author: sf Date: 2009-10-05 18:15:44 + (Mon, 05 Oct 2009) New Revision: 12939 Modified: data/CVE/list Log: apache upgrade in 5.0.4 Modified: data/CVE/list === --- data/CVE/list 2009-10-05 17:28:59 UTC (rev 12938) +++ data/CVE/list 2009-10-05 18:15:44 UTC (rev 12939) @@ -1139,6 +1139,7 @@ - apache2 2.2.13-2 (low; bug #545951) [etch] - apache2 no-dsa (minor issue) [lenny] - apache2 no-dsa (minor issue) +TODO: scheduled for 5.0.4: [lenny] - apache2 2.2.9-10+lenny5 (low; bug #545951) NOTE: The attacker needs to have valid credentials for the FTP server, which NOTE: makes this irrelevant in most cases. TODO: check @@ -1149,6 +1150,7 @@ - apache2 2.2.13-2 (low; bug #545951) [etch] - apache2 no-dsa (minor issue) [lenny] - apache2 no-dsa (minor issue) +TODO: scheduled for 5.0.4: [lenny] - apache2 2.2.9-10+lenny5 (low; bug #545951) CVE-2009-3093 (Unspecified vulnerability on the ASUS WL-500W wireless router has ...) NOT-FOR-US: ASUS WL-500W CVE-2009-3092 (Buffer overflow on the ASUS WL-500W wireless router has unknown impact ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r12910 - data/CVE
Author: sf Date: 2009-09-30 20:57:03 + (Wed, 30 Sep 2009) New Revision: 12910 Modified: data/CVE/list Log: ffmpeg-debian was renamed back to ffmepg recently Modified: data/CVE/list === --- data/CVE/list 2009-09-30 18:47:34 UTC (rev 12909) +++ data/CVE/list 2009-09-30 20:57:03 UTC (rev 12910) @@ -10625,7 +10625,7 @@ CVE-2009-0385 (Integer signedness error in the fourxm_read_header function in ...) {DSA-1782-1 DSA-1781-1} - ffmpeg-debian 0.svn20080206-16 (medium; bug #524799) - - ffmpeg removed + - ffmpeg 0.svn20080206-16 - mplayer 1.0~rc2-14 (medium; bug #524805) NOTE: MPlayer links against libavformat since 1.0~rc2-14, etch Mplayer still needs a fix NOTE: http://git.ffmpeg.org/?p=ffmpeg;a=commitdiff;h=72e715fb798f2cb79fd24a6d2eaeafb7c6eeda17 @@ -14724,7 +14724,7 @@ NOTE: only the aac issue affected mplayer because it built against a copy of faad NOTE: the ogm issue is a problem in ffmpeg - ffmpeg-debian unfixed (unimportant; bug #509616) - - ffmpeg removed (unimportant) + - ffmpeg unfixed (unimportant) NOTE: just a crasher, no security implications known so far NOTE: http://sam.zoy.org/blog/2007-01-16-exposing-file-parsing-vulnerabilities CVE-2008-4609 (The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, ...) @@ -18153,7 +18153,7 @@ NOTE: Only a NULL pointer deference, hardly security relevant CVE-2008-3230 (The ffmpeg lavf demuxer allows user-assisted attackers to cause a ...) - ffmpeg-debian 0.svn20080206-16 (unimportant; bug #498764; bug #498766) - - ffmpeg removed (unimportant) + - ffmpeg 0.svn20080206-16 (unimportant) NOTE: Only a NULL pointer deference, hardly security relevant CVE-2008-3228 (Joomla! before 1.5.4 does not configure .htaccess to apply certain ...) NOT-FOR-US: Joomla @@ -18319,7 +18319,7 @@ CVE-2008-3162 (Stack-based buffer overflow in the str_read_packet function in ...) {DSA-1781-1} - ffmpeg-debian 0.svn20080206-10 (bug #489965; low) - - ffmpeg removed + - ffmpeg 0.svn20080206-10 TODO: Check the various embedders in Etch, horray for librification in Lenny CVE-2008-3161 (Multiple cross-site scripting (XSS) vulnerabilities in ...) NOT-FOR-US: IBM Maximo ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r12911 - data/CVE
Author: sf Date: 2009-09-30 21:03:52 + (Wed, 30 Sep 2009) New Revision: 12911 Modified: data/CVE/list Log: various ffmpeg crashes Modified: data/CVE/list === --- data/CVE/list 2009-09-30 20:57:03 UTC (rev 12910) +++ data/CVE/list 2009-09-30 21:03:52 UTC (rev 12911) @@ -1,3 +1,9 @@ +CVE-2009- [ffmpeg missing input sanitization/crashes] + - ffmpeg unfixed + - ffmpeg-debian removed + TODO: file bug + NOTE: https://roundup.ffmpeg.org/roundup/ffmpeg/issue1240 + NOTE: https://roundup.ffmpeg.org/roundup/ffmpeg/issue1245 CVE-2009- [xen-tools: world readable disk image files] - xen-tools unfixed (low; bug #548909) TODO: request CVE id ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r12888 - data/CVE
Author: sf Date: 2009-09-26 07:36:34 + (Sat, 26 Sep 2009) New Revision: 12888 Modified: data/CVE/list Log: apr non-issue Modified: data/CVE/list === --- data/CVE/list 2009-09-25 21:14:12 UTC (rev 12887) +++ data/CVE/list 2009-09-26 07:36:34 UTC (rev 12888) @@ -2393,8 +2393,9 @@ CVE-2009-2700 (src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not ...) - qt4-x11 unfixed (medium; bug #545793) [etch] - qt4-x11 not-affected (QSsl* classes were introduced in Qt 4.3) -CVE-2009-2699 +CVE-2009-2699 [apr DoS on Solaris] RESERVED + - apr not-affected (does not affect Linux or kFreeBSD) CVE-2009-2698 (The udp_sendmsg function in the UDP implementation in (1) ...) {DSA-1872-1} - linux-2.6 2.6.19-1 (high) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r12890 - data/CVE
Author: sf Date: 2009-09-26 12:50:26 + (Sat, 26 Sep 2009) New Revision: 12890 Modified: data/CVE/list Log: amsn issues Modified: data/CVE/list === --- data/CVE/list 2009-09-26 09:37:46 UTC (rev 12889) +++ data/CVE/list 2009-09-26 12:50:26 UTC (rev 12890) @@ -1,3 +1,7 @@ +CVE-2009- [amsn SSL verification vuln] + - amsn unfixed + TODO: file bug + NOTE: http://www.juniper.net/security/auto/vulnerabilities/vuln35507.html CVE-2009-3391 RESERVED CVE-2009-3390 (Multiple unspecified vulnerabilities in the (1) iscsiadm and (2) ...) @@ -37528,7 +37532,8 @@ CVE-2007-2196 (** DISPUTED ** ...) NOT-FOR-US: Jambook module for Mambo and Joomla CVE-2007-2195 (aMSN (aka Alvaro's Messenger) 0.96 and earlier allows remote attackers ...) - NOT-FOR-US: Alvaro's Messenger + TODO: check + NOTE: package amsn CVE-2007-2194 (Stack-based buffer overflow in XnView 1.90.3 allows user-assisted ...) NOT-FOR-US: XnView CVE-2007-2193 (Stack-based buffer overflow in the ID_X.apl plugin in ACDSee 9.0 Build ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r12862 - data/CVE
Author: sf Date: 2009-09-21 18:24:43 + (Mon, 21 Sep 2009) New Revision: 12862 Modified: data/CVE/list Log: apache2 nodsa Modified: data/CVE/list === --- data/CVE/list 2009-09-21 17:55:39 UTC (rev 12861) +++ data/CVE/list 2009-09-21 18:24:43 UTC (rev 12862) @@ -451,12 +451,18 @@ NOT-FOR-US: HP Performance Insight CVE-2009-3095 (The mod_proxy_ftp module in the Apache HTTP Server allows remote ...) - apache2 2.2.13-2 (low; bug #545951) + [etch] - apache2 no-dsa (minor issue) + [lenny] - apache2 no-dsa (minor issue) + NOTE: The attacker needs to have valid credentials for the FTP server, which + NOTE: makes this irrelevant in most cases. TODO: check - NOTE: Disclosure has little information, verify that it is really fixed when - NOTE: more info is disclosed. + TODO: Disclosure has little information, verify that it is really fixed when + TODO: more info is disclosed. NOTE: based on a VulnDisco commercial 0day CVE-2009-3094 (The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the ...) - apache2 2.2.13-2 (low; bug #545951) + [etch] - apache2 no-dsa (minor issue) + [lenny] - apache2 no-dsa (minor issue) CVE-2009-3093 (Unspecified vulnerability on the ASUS WL-500W wireless router has ...) NOT-FOR-US: ASUS WL-500W CVE-2009-3092 (Buffer overflow on the ASUS WL-500W wireless router has unknown impact ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r12829 - data/CVE
Author: sf Date: 2009-09-16 19:56:27 + (Wed, 16 Sep 2009) New Revision: 12829 Modified: data/CVE/list Log: apache2 to be fixed Modified: data/CVE/list === --- data/CVE/list 2009-09-16 17:41:04 UTC (rev 12828) +++ data/CVE/list 2009-09-16 19:56:27 UTC (rev 12829) @@ -319,15 +319,13 @@ CVE-2009-3096 (Multiple unspecified vulnerabilities in HP Performance Insight 5.3 ...) NOT-FOR-US: HP Performance Insight CVE-2009-3095 (The mod_proxy_ftp module in the Apache HTTP Server allows remote ...) - - apache2 unfixed (unknown; bug #545951) + - apache2 2.2.13-2 (low; bug #545951) TODO: check - NOTE: as of 20090910 this disclosure has no actionable information + NOTE: Disclosure has little information, verify that it is really fixed when + NOTE: more info is disclosed. NOTE: based on a VulnDisco commercial 0day CVE-2009-3094 (The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the ...) - - apache2 unfixed (low; bug #545951) - NOTE: no-dsa candidate. - NOTE: mod_proxy_ftp should be enabled. with -mpm-prefork only a child crashes, not a really DoS - NOTE: when doing reverse proxy, servers to which requests are proxied are usually trusted + - apache2 2.2.13-2 (low; bug #545951) CVE-2009-3093 (Unspecified vulnerability on the ASUS WL-500W wireless router has ...) NOT-FOR-US: ASUS WL-500W CVE-2009-3092 (Buffer overflow on the ASUS WL-500W wireless router has unknown impact ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r12543 - data/CVE
Author: sf Date: 2009-08-09 20:43:59 + (Sun, 09 Aug 2009) New Revision: 12543 Modified: data/CVE/list Log: apr/apr-util fixed Modified: data/CVE/list === --- data/CVE/list 2009-08-09 20:10:45 UTC (rev 12542) +++ data/CVE/list 2009-08-09 20:43:59 UTC (rev 12543) @@ -983,8 +983,8 @@ RESERVED CVE-2009-2412 (Multiple integer overflows in the Apache Portable Runtime (APR) ...) {DSA-1854-1} - - apr unfixed - - apr-util unfixed + - apr 1.3.8-1 + - apr-util 1.3.9+dfsg-1 CVE-2009-2411 [subversion: insufficient input validation] RESERVED - subversion 1.6.4dfsg-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r12402 - in data: CVE DSA
Author: sf Date: 2009-07-24 17:56:08 + (Fri, 24 Jul 2009) New Revision: 12402 Modified: data/CVE/list data/DSA/list Log: remove apache2-mpm-itk from the apache issues to avoid it showing up in unstable/testing. It has a dependency on an exact version of apache2.2-common, allowing to just use the apache2 source package for the tracking. In unstable/testing, apache2-mpm-itk is 'fixed' by binNMU, which is not integrated into the tracker. Modified: data/CVE/list === --- data/CVE/list 2009-07-24 17:21:36 UTC (rev 12401) +++ data/CVE/list 2009-07-24 17:56:08 UTC (rev 12402) @@ -1752,7 +1752,6 @@ {DSA-1834-1} - apache2 2.2.11-7 (medium; bug #536718) [etch] - apache2 not-affected (bug introduced in 2.2.5) - [lenny] - apache2-mpm-itk 2.2.6-02-1+lenny2 [lenny] - apache2 2.2.9-10+lenny4 CVE-2009-1889 (The OSCAR protocol implementation in Pidgin before 2.5.8 misinterprets ...) - pidgin 2.5.8-1 (low; bug #535790) @@ -4085,8 +4084,6 @@ CVE-2009-1195 (The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not ...) {DSA-1816-1} - apache2 2.2.11-6 (low; bug #530834) - - apache2-mpm-itk - NOTE: apache2-mpm-itk is vulnerable due to static linking CVE-2009-1194 (Integer overflow in the pango_glyph_string_set_size function in ...) {DSA-1798-1} - pango1.0 1.24.0-2 (medium; bug #527474) Modified: data/DSA/list === --- data/DSA/list 2009-07-24 17:21:36 UTC (rev 12401) +++ data/DSA/list 2009-07-24 17:56:08 UTC (rev 12402) @@ -22,8 +22,6 @@ [15 Jul 2009] DSA-1834-1 apache2 apache2-mpm-itk - denial of service {CVE-2009-1891 CVE-2009-1890} [etch] - apache2 2.2.3-4+etch9 - [etch] - apache2-mpm-itk 2.2.3-01-2+etch3 - [lenny] - apache2-mpm-itk 2.2.6-02-1+lenny2 [lenny] - apache2 2.2.9-10+lenny4 [14 Jul 2009] DSA-1833-1 dhcp3 - arbitrary code execution {CVE-2009-0692} @@ -86,9 +84,7 @@ [lenny] - ctorrent 1.3.4-dnh3.2-1+lenny1 [16 Jun 2009] DSA-1816-1 apache2 apache2-mpm-itk - privilege escalation {CVE-2009-1195} - [etch] - apache2-mpm-itk 2.2.3-01-2+etch2 [etch] - apache2 2.2.3-4+etch8 - [lenny] - apache2-mpm-itk 2.2.6-02-1+lenny1 [lenny] - apache2 2.2.9-10+lenny3 [14 Jun 2009] DSA-1815-1 libtorrent-rasterbar - denial of {CVE-2009-1760} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r12339 - data/CVE
Author: sf Date: 2009-07-14 15:46:13 + (Tue, 14 Jul 2009) New Revision: 12339 Modified: data/CVE/list Log: CVE-2009-1890 does not affect etch Modified: data/CVE/list === --- data/CVE/list 2009-07-14 14:29:28 UTC (rev 12338) +++ data/CVE/list 2009-07-14 15:46:13 UTC (rev 12339) @@ -1320,6 +1320,7 @@ - apache2 2.2.11-7 (medium; bug #534712) CVE-2009-1890 (The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy ...) - apache2 2.2.11-7 (medium; bug #536718) + [etch] - apache2 not-affected (bug introduced in 2.2.5) CVE-2009-1889 (The OSCAR protocol implementation in Pidgin before 2.5.8 misinterprets ...) - pidgin 2.5.8-1 (low; bug #535790) NOTE: http://developer.pidgin.im/ticket/9483 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r12327 - data/CVE
Author: sf Date: 2009-07-12 21:43:43 + (Sun, 12 Jul 2009) New Revision: 12327 Modified: data/CVE/list Log: apache2 fixed Modified: data/CVE/list === --- data/CVE/list 2009-07-12 21:14:13 UTC (rev 12326) +++ data/CVE/list 2009-07-12 21:43:43 UTC (rev 12327) @@ -1301,9 +1301,9 @@ RESERVED CVE-2009-1891 [apache2 mod_deflate DoS] RESERVED - - apache2 unfixed (medium; bug #534712) + - apache2 2.2.11-7 (medium; bug #534712) CVE-2009-1890 (The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy ...) - - apache2 unfixed + - apache2 2.2.11-7 (medium; bug #536718) CVE-2009-1889 (The OSCAR protocol implementation in Pidgin before 2.5.8 misinterprets ...) - pidgin 2.5.8-1 (low; bug #535790) NOTE: http://developer.pidgin.im/ticket/9483 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r12217 - data/CVE
Author: sf Date: 2009-06-28 18:30:55 + (Sun, 28 Jun 2009) New Revision: 12217 Modified: data/CVE/list Log: new apache2 DoS Modified: data/CVE/list === --- data/CVE/list 2009-06-28 18:25:15 UTC (rev 12216) +++ data/CVE/list 2009-06-28 18:30:55 UTC (rev 12217) @@ -1,3 +1,5 @@ +CVE-2009- [apache2 mod_deflate DoS] + - apache2 unfixed (medium; bug #534712) CVE-2009-2233 NOT-FOR-US: AWScripts.com Gallery Search Engine CVE-2009-2232 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits